Inventors: 
Patent No: 
Issued: 
For: 



t 

UNITED STATES PATENT AND TRADEMARK OFFICE 

COLLINS etal. Docket No: 20206-00 14(PT-TA-4 10) 

5,848,159 

December 8, 1998 

"PUBLIC KEY CRYPTOGRAPHIC APPARATUS AND METHOD" 



m5 

3 U> 



ON* 

u 



Assistant Commissioner for Patents 
Box: Reissue 
Washington, D.C. 20231 



TRANSMITTAL FOR INFORMATION DISCLOSURE STATEMENT 



Enclosed for filing in the above-identified application is an Information Disclosure Statement 
wth attached Form PTO-1449 and copies of cited references. 

The Commissioner is authorized to charge any required fees, or credit any overpayment to 
iftposit Account No. 02-3964 (Order No. 20206-0014(PT-TA-410). 



Respectfully submitted, 



! * LEAH SHERR 

U Reg. No. 43,918 

WPPENHEIMER WOLFF & DONNELLY LLP 
'CUSTOMER NO. 25696 
1400 Page Mill Road 
Palo Alto, CA 94304 
Telephone: 650-320-4000 
Facsimile: 650-320-4100 




SV/108827.01 
10132000/19:55/20206.14 



UNITED STATES PATENT AND TRADEMARK OFFICE 



Inventor: Collins et al. 
U.S. Patent No: 5,848,159 
Issue Date: December 8, 1998 



Docket No: 20206.14 (PT-TA-410) 



For: 



PUBLIC KEY CRYPTOGRAPHIC APPARATUS AND METHOD" 



Assistant Commissioner for Patents 
Box: Reissue 



Washington, D.C. 20231 



INFORMATION DISCLOSURE STATEMENT 



Applicants submits herewith the references listed on the attached form PTO-1449 of which 
Applicants are aware which are believed to be material to the examination of this application and in 
respect of which there may be a duty to disclose in accordance with 37 CFR 1.56. 

- The filing of this information disclosure statement shall not be construed as a representation that a 
i search has been made (37 CFR 1 .97(g)), nor as an admission that the information cited is, or is considered 
i to be, material to patent ability, nor an admission that no other material information exists. 

I Respecting for example reference AC, the paper entitled "Using Four-Prime RSA in Which Some 

'". of the Bits are specified," Applicants believe that this reference teaches away from the claimed invention. 
■* For instance, reference AC does not cover instances where the number of primes is K=3 and K>4. 
1 Reference AC merely teaches the extension of 2 prime factors to 4 prime factors for a greater modulus «. 
What is more, the 4 prime factors of n are not random but, rather, related through a relationship of the 

- form p,=2 k f,+a k . Namely, reference AC teaches a method for determining 4 related primes such that the 
t number of bits required to represent the primes is less than the sum of their length. (See: SA. Vanstone et 
jj al.p.2118). 

I The filing of this information disclosure statement shall not be construed as an admission against 

J interest in any manner. Notice of January 9, 1992, 1135 O.G. 13-25, at 25. 



OPPENHEIMER WOLFF & DONNELLY LLP 
1400 Page Mill Road 
Palo Alto, CA 94304 
Tel: (650)320-4000 
Fax: (650) 320-4100 



DATE: September 27, 2000 




Leah Sherry 6 
Reg. No: 43,918 



SV/109033.01 
10142000/14:42/20206.14 



Sheet 1 of 2 



FORM PTO-1449 U.S. DEPARTMENT OF COMMERCE 


ATTY DOCKET NO. 


PATENT NO. 


PATENT AND TRADEMARK OFFICE 








20206-0014(PT-TA-410) 


5,848,159 


INFORMATION DISCLOSURE 


APPLICANT 




STATEMENT BY APPLICANT 








COLLINS et al. 






ISSUE DATE 


GROUP 




December 8, 1998 








2766 



U. S. PATENT DOCUMENTS 



EXAMINER 
INITIAL 




DOCUMENT NUMBER 


DATE 


NAME 


CLASS 


SUBCLASS 


FILING DATE IF 
APPROPRIATE 




AA 


5,761,310 


06/1998 


Naciri 


380 


30 


07/18/1996 



FOREIGN PATENT DOCUMENTS 







DOCUMENT NUMBER 


DATE 


COUNTRY 


NAME 


CLASS 


SUBCLASS 


TRANSLATION 
YES NO 




AB 

















OTHER DOCUMENTS (Including Author, Title, Date, Pertinent Pages, Etc.) 



•Hi- 

4= 


AC 


S.A. VANSTONE et al, "Using Four-Prime RSA in Which Some of the Bits are Specified, December 8, 
1994, Electronics Letter, Vol. 30, No. 25. pp. 2118-2119 


\t : 


AD 


C. Couvruer et al., "An Introduction to Fast Generation of Large Prime Numbers," 1982, Philips Journal of 
Research, Vol. 37, Nos. 5-6, pp. 231-264. 


=f 


AE 


Y. DESMEDT et al, "Public-Key Systems Based on the Difficulty of Tampering (Is There a Difference 
Between DES and RSA?)," 1986, Lecture Notes in Computer Science, Advances in Cryptology-CRYPTO '86 
Proceedings. 




: 


AF 


J. J. QUISQUATER et al., "Fast Decipherment Algorithm for RSA Public-Key Cryptosystem October 
Electronic Letters, Vol. 19, No. 21. 


.sis 


AG 


CETIN KAYA KOC, "High-Speed RSA Implementation (Version 2.0)," November 1994, RSA White Paper, 
RSA Laboratories. 




AH 


RIVEST et al, "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems, February 1978, 
Communications of the ACM, Vol. 21. 




AI 


PKCS #1: RSA Encryption Standard (Version 1.5), November 1993, RSA Laboratories Technical Note. 




AJ 


M.O. RABIN, "Digitalized Signatures and Public-Key Functions as Intractable as Factorization, January, 
1979, MIT Laboratory for Computer Science. 




AK 


R. LIDL et al., "Permutation Polynomials in RSA-Cryptosystems," 1984, Advances m Cryptology Crypto 
'83, pp. 293-301. 




AL 


D. BONEH et al., "Generating a Product of Three Primes with an Unknown Factorization, Computer Science 
Department, Stanford University. 




AM 


j j. QUISQUATER et al., "Fast Generation of Large Prime Numbers" June 1982, Library of Congress, Catalog 
No 72-179437, IEEE Catalog No. 82CH1767-3 IT, pp. 114-115 




AN 


A. J. Menezes et al, "Handbook of Applied Cryptography", 1997, Library of Congress catalog No. 96-27609, 
pp. 89,612-613 



(Fqtov PTO-1449) 
SV/108820.01 
10132000/19:12/20206 14 



EXAMINER 



DATE CONSIDERED 



Sheet 2 of 2 



EXAMINER: Initial if citation considered, whether or not citation is in conformance with MPEP 609; draw line through citation if not in conformance and not 
considered. Include copy of this form with next communication to applicant. 



(Form PTO-1449) 
SV/1 08820.01 
10132000/19:12/20206.14 



United States Patent im 

Naciri 



US005761310A 
[U] Patent Number: 
{45] Date of Patent; 



5,761,310 
Jun. 2, 1998 



(54) COMMUNICATION SYSTEM FOR 

MESSAGES ENCIPHERED ACCORDING TO 
AN RSA-TYPE PROCEDURE 

[75] Inventor: Robert Naciri Chateaay Makbry. 
France 

[73] Assignee: De La Rue Cartes ET Syst ernes SAS. 
Paris. France 

[21] Appl. No.: 683,493 

[22] Filed: JuL 18, 1996 

[30] Foreign Application Priority Data 

Jul. 26, 1995 [EP] European Pat Off. 95 09085 

[51] Int CL 6 H#4L 9/3$; H04L 9/00 

[52] U.S. CI 380/30; 38(V9; 380/23; 

380/25; 380/49 

[58] Field of Search 380/9. 23, 24. 

380/25. 30. 49. 50 

[561 References Cited 

U.S. PATENT DOCUMENTS 

4,405,829 9/1983 Rivestetal 380/30 

4,424,414 1/1984 Helium et a] . 380/30 

4,736,423 4/1988 Matyas 380/23 

4,870,681 9/1989 Scxflak 380/30 

4,933,970 6/1990 Shamir 380/30 

4,944,007 7/1990 Austin 380/30 X 

5,588,061 12/1996 Gaaesaa et at 380/30 



5,627,893 VI 997 Demytfco 

OTHER PUBLICATIONS 



38O30 



"Fast Decipherment Algorithm for RSA Public-Key Cryp- 
tosysteaT, Electronics Letters 14th Oct 1982 voL 18. No. 
21. pp. 905-907. 

Primary Examiner — Bemarr E. Gregory 
Attorney, Agent, or Firm— Oliff A Berridge. PLC 



[57] 



ABSTRACT 



The procedure involves key numbers *\T and "e" and i 
modulus N. so hat **N" is the product of two factors **p" and 
u q n which are prime numbers N=?.q, and cdsl^^^ 
where 4<N) is the Euler indicator function. The procedure 
provides enciphered message parts and for deciphering them 
comprises: a rac4idus -determining step for determining a 
deciphering modulus chosen from "p" aod "q". a modular 
reduction step for making a first modular reduction of the 
number "d" with a modulus equal to said deciphering 
modulus "(p-l)*(q-ir with the aim of producing a reduced 
number, a reduction step for making a second modular 
reduction of each enciphered message part with a modulus 
equal to said deciphering modulus with the aim of producing 
a reduced enciphered message part an exponentiation step 
for computing a modular exponentiation of each reduced 
enciphered message part with a modulus equal to said 
deciphering modulus and. with an exponent equal to said 
reduced number with the aim of restoring said message. 

5 Claims, 3 Drawing Sheet* 
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COMMUNICATION SYSTEM FOR In the drawings: 

MESSAGES ENCIPHERED ACCORDING TO FIG. 1 shows a communication system according to the 

AN RSA-TYPE PROCEDURE invention. 

BACKGROUND OF THE INVENTION 5 J^ 2 *™^ ** 

The present invention relates to a cornmunication system FIG. 3 shows a deciphering flow chart according to the 

for messages enciphered according to an RSA-type proce- invention, 

dure which implies key numbers "d" and M e" and a modulus FIG. 4 shows the scheme of a user device, and 

N. so that is a product of two factors "p" and V which |{] FIG. 5 shows a system according to the invention, which 

arc prime numbers N=p.q. and e.d=l wo0tov) where «N) is implies a server called confidence server and a plurality of 

the Euler indicator {unction, which system comprises, on the user devices. 

one hand, at least an enciphering device formed by: 

splitting means for splitting up the message to be end- D ^S^^2T?° N °™ 

plwed into at le«tODC message part to be enciphered. 15 PREFERRED EMBODIMENTS 

exponentiation means for carrying out with each message In. FIG. 1. reference 1 indicates the enciphering device, 

part to be enciphered a modular exponentiation of This one receives a message M, for example the French 

modulus "N* and having an exponent equal to a first word 4< BONJOUR n which means GOOD-DAY. This mes- 

one of said key numbers with the aim of producing a sage is split up by the splitting means 3 into message parts 

part of the enciphered message, and also at least a 20 to be enciphered These parts are formed each by letters 

deciphering device. forming the part and a sequence of digital codes is obtained. 

The invention likewise relates to a procedure utilized in for example, the decimal digital codes M=66. M2=79. 

the system, a user device of the rnicrocircuit card type M3=78, M4=74» M5=79, M6=85, M7=$2. which represent 

comprising on the same medium an enciphering device and the ASCII codes for "BON JOUR". Exponentiation means 5 

a deciphering device and a server center called entrusted 25 perform exponentiations of these digital codes by taking 

center for processing information signals between the van- parameters **e" and ~N" in accordance with measures of 

ous user devices. which the first one results directly from the invention: 

Aprocedure of this type is described in the article entitled Numbers p and q arc taken to be higher than 255: p=2<53 

'VAST DECIPHERMENT ALGORITHM FOR A PUBLIC- and o=311. so that N=p.q=81793. 

KEY CRYPTO SYSTEM" by J. J. Quisquater and C. 30 - c - is selected, so that it is a prime number with p-1 and 

Couvrcur, published in ELECTRONICS LETTERS 14th Oct q _L that is: e=17. 

ZT*. . , _ Now one determines d: e.<*Wl woiWAft . 

ms procedure raphes (he use of the Chinese remainder ^ me Mse where snd prllne numbcr& 

theorem to . obtau , • i raprfdecipbeaog without harming the KNMMMq-D that is: cxl=l MOO(406K)) . Among the "d". 

qualm* of the RSA procedure. 35 ^ ^ ^ above 34943. In 

SUMMARY OF THE INVENTION mc2s^ iStScnmSt ^SSSnStmt!^ 

The present uxvcntiofL also based on the Chinese remain- exponentiation of each of said codes: 

der theorem, proposes a system in which the rapidity of the 1T 

deciphering process is improved to a very large measure. 40 CfMx 1 uoo^^ 1 • • • 7 

Therefore, such a system is characterized in that it com- giving the coded message which comprises the enciphered 

prises at least a deciphering device formed by: parts: 

modtuus-detennining means for determining a decipher- 0=62302. C2M7322, C3=74978, C4-00285. 

ing modulus chosen from said factors, 45 C5=47322, C6=09270. C7=54110. 

first modular reductioD means for mj.iHng a first modular According to the invention, for deciphering this message, 

reduction of the number "d" with a modulus equal to * deciphering device 10 is provided. This device uses a first 

said deciphering modulus reduced by unity for produc- means for deteonining the deciphering modulus from the 

ing a reduced lumber. numbers 1 *p" and "q"; preferably, the smaller of the two is 
second reduction means' for making a second modular » chosen to gain on the calculations that is: 

reduction of each enciphered message part with a p=<263), 
modulus equal to said dedrAcring modulus with the 

aim of producing a reduced enciphered message part. second means perform the modular reducing operation with 
second exponentiation means for computing a n yvfrri ar 
exponentiation of each reduced enciphered message 
part with a modulus equal to said deciphering modulus 

and with an exponent equal to said reduced number " 195 ■ 
with the aim of restoring said message. 

Thus, due to the measures recommended by the invention. Then, depending on the modulus M p*\ the enciphered mes- 

it is no longer necessary to perform the combining operation sage parts are reduced, 
of the remainders of formula (1) of aforementioned article. 

BRIEF DESCRIPTION OF THE DRAWINGS 
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a number "d" 



= 234 



These and other aspects of the invention will be apparent 65 
from and elucidated with reference to the embodiments and respectively, C^2=245, C r 3=023, c r 4=022. C^=245, 
described hereinafter. c^6=065, c/7 giving the deciphered message parts: 



5,761,310 



,115 



i— / T 



User A 



rn^C^ 

The message "m" is then restored by concatenation, by the 
final restoring means 4 transcribing in usual characters. If 
everything is done well m=M. 

The enciphering device 1 and the deciphering device 10 
are actually put into effect based on processors programmed 
for executing the operations of the flow charts shown in the 
FIGS. 2 and 3 which follow. 

The flow chart of FIG. 2 explains the operation of the 
device 1. Box Kl indicates a test made with each part of the 
enciphered message. If this value exceeds that of the 
selected deciphering modulus (thus the smaller of "p* and 
"q"). then there is declared that there is an error in box K2. 
If not box K5 is proceeded to, where the actual enciphering 
operation is carried out, that is to say. a modular exponen- 
tiation. Thus, enciphered message parts d are obtained. 

The flow chart of FIG. 3 shows the deciphering operations 
carried out by the deciphering device 10. This flow chart 
shows in box Kit an operation prior to the reduction of the 
number d to obtain a reduced key number **dr". Box Kll is 
a modular reducing operation of **p". earned out with the 
enciphered message parts, and box K14 is a modular expo- 
nentiation of modulus *Y>" and whose exponent is u dr" with 
the enciphered message parts. 

The enciphering and deciphering devices may be inserted 
on the same mrrtiiim to form a user device. The devices can 
then oommunicale with each other by utilizing the encipher- 
ing procedure according to the invention. 

FIG. 4 shows the structure of a user device. This device 
is made on the basis of a trusted microcontroller such as, for 
example, the 83C852 made by Philips. Such a microcon- 
troller 31 is shown in FIG. 4 and formed by a microprocessor 
32. a random access memory 33 and a read-only memory 34 
which notably contains instructions of operation for impie- 
meating the invention, notably the enciphering operations 
and deciphering operations already described. It also com- 
prises an EEPROM memory 35 for containing various data 
such as the secret key of the card, the public key of a third 
party with which h exchanges information signals ... It also 
comprises a calculation unit 36 which carries out the nec- 
essary operations for the functions of enciphering, a man- 
agement unit 37 for the inputs/outputs furthermore con- 
nected to an input I/O of (he microcontroller 31. Said 
dements of the miaocontrolkr 31 are interconnected by a 
bus 38. 

Any additional detail may be found back in the manual of 
the microcontroller 83C852 mentioned above. 

An interesting example of an application of the invention 
is the transfer of key DES by the RSA, as this has been 
described in the article Threats of Privacy and Public Keys 
for Protection** by Jim Bidsos. published in the document 
PROCEED INGS OF COMPCON, 91, 36 th WEE COM- 
PUTER SOCIETY INTERNATIONAL CONFERENCE, 25 
Feb. to 1 Mar. 1991. San Francisco-N.Y (U.S.). The proto- 
col for exchanging session key DES between two users A 
and B via a public channel may be as follows. Let {n^.d^} 
and {tijfAg} be the respective secret keys of the users A and 
B. For example. A wishes to transmit the session key K 5 to 
B. 
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The enciphering is carried out by using the public key e^. 
C x# =m-B 

and the cryptogram is transmitted by the public channel. 
User B 

reception of the cryptogram m=C^ 
deciphering of the cryptogram m^C^^B 
the use of key K 5 
Generally. is approximately smaller than a key RSA. Ky 
may be a session key DES of the order of 56 binary elements 
and p and q are of the order of 256 bits. 

Lots of official bodies prohibit the enciphering of mes- 
sages in public communications. The invention applies 
particularly well when a confidence server SC is used to 
avoid this prohibition. 

This case is shown in FIG. 5. This figure illustrates me 
case where a plurality of user devices A. B. ... X can 
co mm u nic a te with each other via a confidence server SC 
This server SC has all the knowledge to know all the 
messages exchanged by the various users uncoded. 

By way of example there is explained me case where the 
user A wishes to communicate a key DES to user B. 
Thus. A enciphers the key K*, with the aid of the public key 
e, of the server SC which itself deciphers same upon 
reception, then enciphers it with B's public key e*. Finally. 
B deciphers the cryptogram with the aim of finding back the 
key which was initially sent by A. 

Thus, in this case the procedure is applied both at the 
deciphering end of the user B and that of server SC Thus, 
the invention is used to obtain a good availability of the 
server for a plurality of users. The gain of computation 
caused by the invention is particularly noticeable. 
What is claimed is: 

1. Comnuinication system for messages enciphered 
according to an RSA-type procedure which implies key 
numbers "d" and **e" and a modular number N. so that "N" 
is a product of two factors **p" and M q N which are prime 
numbers N=p.q and that tj^l M<?Df( ^ where «N) is the 
Euler in d i c ator function, which system comprises, oo the 
one hand, at least an enciphering device farmed by: 
splitting means for splitting up the message to be enci- 
phered into at least one message part to be enciphered 
exponentiation pp^wfif for carrying out with each message 
part to be enciphered a rnoAilar exponentiation of 
modulus "N" and having an exponent equal to a first 
one of said key numbers with the aim of producing a 
part of the enciphered message; and on the other hand 
at least a deciphering device, characterized in that it 
comprises at least a deciphering device formed by: 
modulus determining means for deterniining a decipher- 
ing modulus chosen from said factors, 
first modular reduction means for malting a first modular 
reduction of the number M d M with a modulus equal to 
said deciphering modulus reduced by unity for produc- 
ing a reduced number, 
second reduction means for making a second modular 
reduction of each enciphered message part with a 
modulus equal to said deciphering modulus with the 
aim of producing a reduced enciphered message part, 
second exponentiation means for computing a modular 
exponentiation of each reduced enciphered message 
part with a modulus equal to said deciphering modulus 
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and with an exponent equal to said reduced number 
with the aim of restoring said message. 
2. Enciphering/deciphering procedure utilized in the sys- 
tem as claimed in claim 1. according to which procedure, 
and for enciphering a message: 5 
said message is split up into message parts to be 
enciphered* 

each part undergoes a modulo- M modular exponentiation 
operation with an exponent equal to a first one of said 
key numbers, for producing enciphered message parts, 10 
and for deciphering the message: 
the enciphered message parts undergo a deciphering 
exponentiation operation for producing deciphered 
message parts, characterized in that J5 
die message parts to be enciphered are presented in the 

form of numbers smaller than the numbers p and q, 
the deciphering exponentiation operation comprises: 
a step for determining a deciphering modulus chosen 

from said factors. 20 
a preceding step for making a first modular reduction of 
the number "d" with a modulus equal to said deci- 
phering modulus reduced by unity with the aim of 
producing a reduced number, 
a step for making a second modular reduction of the 25 
parts of the enciphered messages with a modulus 
equal to said deciphering modulus for producing 
reduced enciphered message parts, 
a modular exponentiation step made with the parts of 
the reduced enciphered messages with a modulus 30 
equal to said deciphering modulus and with an 
exponent equal to said reduced number. 
3. User device for a communication system in which 
messages are enciphered according to an RSA-rvpe proce- 
dure which implies key numbers "d** and "e" and a modular 35 
number N, so that T is a product of two factors "p" and 
\ m which are prime numbers N=p.q and mat ^<^^nocmn) 
where #N) is the Euier indicator function said user device 
comprising an enciphering device formed by: 

splitting means for splitting up the message to be enci- 40 
phered into at least one message part to be enciphered. 

exponentiation means for computing with each message 
part to be enciphered a modular exponentiation of 
modulus *W and having an exponent equal to a first 
one of said key numbers, with the aim of producing a 
part of the enciphered message, and at least a decipher- 
ing device, characterized in that the enciphering device 
is formed by: 

modulus determining means for determining a deci- 
phering modulus chosen from said factors. 
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first modular reduction means for making a first modu- 
lar reduction of the a umber "d M with a. modulus 
equal to said deciphering modulus reduced by unity 
for producing a reduced number. 

second reduction means for making a second modular 
reduction of each enciphered message part with a 
modulus equal to said deciphering modulus with the 
aim of producing a reduced enciphered message part 

second exponentiation means for effecting a modular 
exponentiation of each reduced enciphered message 
part with a modulus equal to said deciphering modu- 
lus and with an exponent equal to said reduced 
number to restore said message. 

4. User device as claimed in claim 3. wherein said user 
device comprises a chip card. 

5. Server for a communication system for messages 
enciphered according to an RSA-type procedure which 
implies key numbers "<T and "e" and a modular number N. 
so that ">T is a product of two factors **p* and "q" which are 
prime d umbers N=p.q and that e.d=l w<?Ot(A0 where <KN) is 
the Euler indicator function, said server comprising an 
enciphering device and a deciphering device for using 
intermediaries with user devices, said enciphering device 
formed by: 

splitting means for splitting up the message lo be enci- 
phered into at least one message part to be enciphered. 

exponentiation means for computing with each message 
part to be enciphered a modular exponentiation of 
modulus and having an exponent equal to a first 
oie of said key numbers, with the aim of producing a 
part of (he enciphered message. 

and characterized in that said deciphering device is 
formed by: 

modulus determining means for determining a deci- 
phering modulus chosen from said factors. 

first modular reduction means for making a first modu- 
lar reduction of the number w cT with a modulus equal 
to said deciphering modulus reduced by unity with 
the aim of producing a reduced number. 

second reduction means for making a second modular 
reduction of each enciphered message part with a 
modulus equal to said deciphering modulus with the 
aim of producing & reduced enciphered message part 

second exponentiation means for computing a modular 
exponentiation of each reduced enciphered message 
part with a modulus equal to said deciphering modu- 
lus and with an exponent equal to said reduced 
number to restore said message. 
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tytfcjcing wrm: Cryptofraphy 

W : the Lclicf ibe authors apply their method of predetermining a 
- = cehain number of bits or the RSA public key modulus to RSA 
using Tour prim<a. The method ~orks « *=" usin G ^ D " r 
primes nj ii does with two, and does noL appear to decrease the 
Jfcuriry lc«d. U appears thai at moil 252 oil Can b* 
"predetermined, whereas in the two-prime case half of ihe bin 
s $5uld be ipccified. 

U'.'b 

Introduction: TttdirionaUy. the RSA cryptosystem [1] has betn 
used wife* two priaies and a modulus or 512bit- Receni advances 
in facidHng, hovevcr. have made 512bii RSA dangerously close 
to insecure. For this reason, ihe use of )024bil RSA is now rec- 
ornmcoiSe^. It nay be of some advantage to use the same database 
of prirrjjid; Tor 1024bit RSA as was used for 5 12 ok RSA. This 
*ouJd iaekn using a 1024bit RSA with four prunes. Also, it would 
be desigftile \o be able to predetermine some of these bitbit lo 
effecti rtduce ;hc key size for transmission and s to rage pur- 
poses aHas done for two-primcjtSA in [Z 3]. This would be par- 
uculari^d^antaeeous where a group of users use the same / bit 
as the high- and low-order bit of their public key modulus. Then 
only 1024-r bit need, to be stored for each user and one copy of 
(be r bit for ;hc entire croup. There may be situations ^vhere a user 
would like the t bit to be a binary representation of their user ID 
and other publicly available information. Tills situation can also 
be implemented. We show mat one cad aJways specify up 10 252 
bit of a 1024 bit modulus using four primes. 



method has been unsucccssi . finding factors of greater n 4{) 
digits 15. G]„ and here the primes arc aboul SO digits. "Die u » c 0 r 
Tour-prime RSA also allows one to use the same database 6 f 
primes as was used in 512bil RSA. and does not increase decryp. 



tion time as much as using iwo-prime 102a oil moduli. 



Using four-primes RSA: In this version of RSA. four primes of 256 
bit arc gtQeraced Let these primes be p, for i = I. 2, 3, 4. Then a 
random e together with n is taken as the public key, with d, = c 
'(mod (p,-\) being the private key*. The message M is encrypted as 
C * M r (mod nl Decryption is accomplished by calculating M, = 
C'(moa p t ) for ) = 1. 2, 3. 4 and combining the results using the 
Chinese remainder theorem. This causes a doubling or the decryp- 
tion time over 512bil RSA. compared with an increase by a factor 
of 4 using conventions 1024 bit RSA. 

Using four-prime RSA would gi«e the added security advantage 
of usin& a ]024fc>ii modulus. "Hit only factoring algorithm lhai 
may be more efTecti^e on a four-prime modulus than on the usual 
modulus using i^o primes is the elliptic curve factoring algorithm 
l4l. Using known running limes, ii appears thai the number field 
sieve woujd require about 10 s * operations to factor such a number, 
while ;he elliptic curve algorithm would use about 10>* operations. 
This appears in be infusible because to date, ihe elliptic curve 
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Specifying same of (he bits. Lei / be a rbil integer and a, be / bit 
for i = 1. 2. 3. 4. Now. if wc let n = U,^*p, where p, = 2'/ + Qm 
ihen we obtain 

n=2 4t /i/=/3/< 

■f Q\ /'jOz/a t a 1 a 2 fifA ) 
+ 2*(/i03«aA4 + a]/ 2 ei3Ci« 4- aio-j/s^ -f- aja^ag/^) 

W e would like n to be 1024 bit so we muse have 4k t- 4c = 
1024. We would also like the product fJJif A be sprcificd 
ahead of time and Wsible as the top 4c bit of n. To allow tl- wc 
would require the remaining terms be less than 4k btL In thcr 
words. Ik + 3r * I + 3 < 4Jt. To make the product 0,0^0, diffi. 
cult 10 obtain we need at least 60 bil of rippling into the 2* term. 
Thus k * SO < Al. Now we want lo maximise the number of bit 
that can be specified ahead of time. To do this we wani to 
maxmise the size of the product ffzfif* and the number of bh of 
ayO^a^ that are not hidden. Thus wc want to mwimisc 4c + Jt. 
SoHng ibis integer imear program we obtain k = 210, / = 63 and 
r = 46. This gives at most 394 bit of the product that can be spec- 
ified ahead of lime. As is shown below, 10 generate these primes' 
effectively, at most / low-order bit should be specified. Wh the 
above parameters this gives at most 252 bil of the product that 
can always be specified. To make this generation feasible, wc 
would aJuo require that -20 bit be available lo search the residue 
class, so we should only specify about afl low-order bil. giving 232 
bil that could be prcdclcrmmccL 

This could be accomplished by first choosinE random a }% a 7 and 
ct y until pj, p 2 and p ? are prime. We are assuming here ihac/^^./i 
and /, axe public knowledge and predetermined. IT wc wish the last 
48 bit of /1 to be a, we then solve the congruence a ,0^7= c ^od 
2 M ) for y. Because y is 48 bit long and « e require a* s y (moi :r'), 
where c A is 68 bit long, we can search this residue class unil- we 
obtain a p 4 thai is prime. 

Using this as a base case, all four schemes presented in [2] can 
be realised. We believe that this is the largest number of bits thai 
can be predetermined, generalising the ideas presented. 

Security issues: As mentioned in f2], predetermining some of the 
bits of an RSa modulus appears to be as secure as using a general 
modulus. Using four primes, however, gives much smaller r;-. : me 
factors and may allow the elliptic curve factoring method *- be 
more of an attack. As mentioned above, we do not believe '.his 
should be a major concern. None of ihe other known factoring 
algorithms appears lo be able to factor numbers of this sire, 
regardless of the fact that ihcy have four primes or the special 
structure imposed by prespecifying some of the bits. 

Two additional attacks were mentioned in the original paper. 
They were not feasible for 1024bit moduli. After generalisation to 
four primes, they do not appear to e*'en apply. For this reason, 
there may e^en be an increase in securi ly to using four-prime F*.SA 
o^er two prime RSA and predeterminmg some of the bits. 



Conclusion: \\ appears that, when predetermining some of the btlf 
of an RSa modulus, it may be worthwhile to use Tour primes 
instead of the usual two. 
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Combined sapphire oscillator - hydrogen 
maser frequency standard 

:4.E. Costa, J.W. He, A-S. Mann. A.N. Luiten and 
D.G, Blair 



f/icfejt/rtj terms: Oscillators. Maws, Frequency nieasurcmrnt, 
Measurement standards 

An attempt has been rnwd« to create a superior frequency 
standard by combining the excellent short term frequency stability 
of a sapphire oscillator with die long-term 1 tobiJity of a hydrogen 
maser. The combined frequency standard closely follows the 
hydrogen tauer in the long term and has goad stability at short 
integration times, although it falls short of the tcxuaJ sapphirv 
oscillator stability due to phase noise in the hydrogen maser 
output signal. 

Introduction: A variety of high stability oscillators have been 
developed that have excellent performance in either the short- or 
lone-term domains [1). In particular, as shown in Fig. 1, the sap- 
phire oscillators developed at the University of Western Australia 
have achieved a frequency stability of 3 x 10 ,J at short integration 
limes [2] and the hydrogen masers developed at Shanghai Observ- 
atory ha«e u stability of 3-6'x 10 '* at long integration times [3]. 




integration l/m* , s 



Fig. 1 Fractional fretjutney stability of University of Wester* Aus~ 
raila's tapfthire oscillator oml Shanghai Ob.scnvtury'.t liyJrugin maser 

muser 

• — . sapphire ascillulor 

Tit is Letter reports un attempt lo create a superior frequency 
standard by combining in a 5 MHz quartz crystal the excellent 
short-term stanihey of a sapphire oscillator and the long-term sta- 
bility of the Shanghai Observatory Hydrogen maser. To achieve 
tlii* a Vectrun CO-246 quartz crystal oscillator is broadband 
I tightly) ph:isc)i>cked Lo the sapphire useillatur and narrowband 



OooscJy) lockce Lhc hydrogen muscr. The combined frequency 
standard has ^ hydrogen maser stability at long integration 
times and is a. 10~ M level at short integration times. This fails 
shore of the sapphire oscillator stability but is a substantial 
improvement over the normal hydrogen maser short-term stability. 



Combining the frequency standards: Fig. 2 is a simplified schematic 
diagram of the combined sapphire oscillator-hydrogen maser fre- 
quency standard. In the broadband phaselocked loop the 5 MHz 
signal from the quart* crystal is multiplied to 320 MHz and then 
applied to a step recovery diode to gen crate a comb of harmonics 
extending to microwave frequencies. These arc used to heterodyne 
the lL93CHz signal from the sapphire oscillator down to about 
1 1 MHz, which is iben mixed with ttfo HP332S function genera- 
ton (locked to the crystal) 10 yield a control signal thai steers the 
crystal. One of the HP33255 is purposely set 10 90 kHz, so that it 
has a microhenz fine-tuning capability, and the other to the 
remaining pan oftbe 11 MHz difference frequency. 

The phaselocked quartz crystal oscillator must satisfy the condi- 
tion 

(2334 -r en + a?) x (5 + 6) MHz = 11.931792 GHz (1) 

where the 11. 93 GHz constant on the right band side is the fre- 
quency of the sapphire oscillaior. 5 is the tuning adjustment from 
the broadband phaselocked loop and a, and a : are the noninte- 
gral multiplicands provided by the -II MHz and -90kHz 
HP3325s, respectively. 
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Fig. 2 Simplified schematic diogrorn of the combining scheme used to 
stabilise a truurtz crystul oscillator with a supphirt oscillator and a 
kydtaetn maser 

fig. 2 also shows the computer-controlled narrowband loop 
incorporating the hydrogen maser. To provide adequate sensitivity 
to Ihe phase-difference fluctuations and to suit the available 
microwave hardware, the phase comparison between the crystal 
and the hydrogen maser *us made at 9.6GHz. This tone is fiencr- 
arcd from the hydrogen maser by applying the available 100MHz 
signal to a step recovery diode and it is available from the crystal 
in the microwave comb of the broadband phaselocked loop, The 
beat waveform produced by mixing these tones together is digi- 
tised In chc compuccr, processed in a software loop filter [4] and 
then converted to a frequency offset that is programmed into the 
90 kHz HP3325. Tuning the KP3325. which provides the factor ff 5 
in eqn. L, causes on overall chantc in the multiplicand of the 
broadband phaselocked loop. The broadband loop compensates 
for this change by adjusting the crystal offset frequency 6 to main- 
tain the phase-lock condition expressed in eqn. 1. Thus the quartz 
crystal is steered :o follow the hydrogen masex in the long term 
but always remains locked to the sapphire oscillator, from which il 
derives its good short-tcmn stability. 

The micruhcriz tuning resolution of the 90kH2 HP3325 permits 
steering uf the crystal in discrete frequency steps that ore much 
smaller than the inherent frequency fluctuations of the reference 
oicjlliUors, The time constant of the .software filter is -set to 1000s. 
\«hich h approximately the integration-timt crossing poin*. $f tnc 
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TABLE 1 

Comparisons of effective methods for primality testing. 



Method of primality 
¥ testing 


gives a rigorous 
proof of primality 


depends on 
factorization 


ease of 
implementation 


speed of 
execution 


references 


|t special functions 
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sir 


yes 


yes 


from easy to 
very difficult 


from slow 
to very 
rapid 


Lehmer 79 ' 89 ' 90 ) 
Brillhart and al. 22 ) 
Williams and al. 23 '") 
Morrison and al. 91 ' 92 ) 
Adleman and Leighton 93 ) 


*3. extension fields 


yes 


no 


very difficult 


rapid 


Adleman and Rumely 94 ) 
Pomerance 9 *) 
Lenstra 96 ' 97 ) 
Cohen 98 ) 


3, probabilistic 
(Monte-Carlo) 


no 


no 
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very 
rapid 


Miller 66 ' 67 ) 
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Malm 99 ) 
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extended Riemann's 
hypothesis (E.R.HJ 
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Abstract 



This paper proposes several public key systems which security is based on the 
tampcrfrcrnws of a device instead of the computational complexity of a trapdoor one- 
way function. The first identity-based cryptosystcm to protect privacy is presented. 



EXTENDED ABSTRACT 



1 Introduction 



We fiisFgivc three main motives for this paper and overview the presented ideas. 

Since the invention of public-key systems by DifTic and Hcllman almost all public-key 
systems proposed were based on some computational hard problems (e.g. factoring). It 
was however shown that it is not easy to design a. scenic public-key system baaed on 
computational hard problems. Examples of failures arc the Ln-Lee system, the Mcrklc- 
Hellman knapsack scheme (and others) And the Malaumoto-Iinai scheme. If we remark 
that the McEliccc scheme is not enough analysed to be used, there do not exist fast 
public-key systems (the speed of RSA is today less than 64 kbit/sec). This is one of the 
main reasons to come up with other public-key systems. 

Bennett and Brassard remarked that it is not ncceflsary to use computational com- 
plexity to design a public-key system. As an example they started from the uncertainty 
principle, which claims that some physical problems arc very hard to solve (impoasible 
to measure). Bennett and Brassard mentioned that their system would remaia secure 
if NP=P and if factoring would be easy. However the cryptosystems they proposed are 
today impractical. One can conclude that a second reason for this paper is to design 
cryptosystems which arc not based on the assumption that trapdoor one-way functions 
exist. 

The authenticity of the public key is a major problem in the set-up of a secure cryp- 
tosyatem, certainly in the case of a large network. A nice solution was proposed by Shamir 
in 1984 called "idcjitit/-/;ased ciyptoaystcm". Instead of using the public key of the re- 
ceiver (to encrypt in order to protect the privacy of a message), the name of the receiver 
is used as public key. The secret key of each user was calculated by an authority at the 
Btart-up of the system. (It is not excluded that the authority destroys itself after the 
start-up of the system.) Public-key systems, identity-based cryptosystems and their key 
generation are systematically explained in Fig. 1. 
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Figure 1: Key generation for public-key and identity-baaed systems 




Figure 2: A first implementation of a public-key system 



v 



113 



; be 



t k 



ey 



-bfcscd Bynlnma 



.ion devictt* 



D' 



•y system 



In our paper we start from the Assumptions that hard conventional systems exist and 
that it is possible to make tamperfrcc devices. Rcmaik that the first assumption is based 
on the complexity of algorithms, bat seems acceptable, certainly if one takes into con* 
sideration that it is much harder to build trapdoor one-way public-key syateraa than 
conventional ones. Without the second assumption a lot of modern uses of cryptography 
would become unseen re. Indeed a secure system must be tampcrCrce otherwise an oppo- 
nent can simply steal the secret key used in the system. Several practical systems, start 
from this second assumption. E.g., a software copyright protection system proposed by 
NPL becomes completely insecure if tainpcrfrce devices can not be build. Remark too 
that each identification method is at least partially baaed on some Uinpcrfrcc system ox 
card (see also Section 5). 

Given two conventional cryptoRystcms and the ex^ifltence of taiuperfrce implementa- 
tions we propose in our full paper several public- key systems, and the first identity-basod 
cryptosystem to protect privacy. 

2 Public keys 

2.1 The basic idea 

Let us give an example of such a system. Prom now on wc call E\ D\ E n and D n the 
encryption and decryption of respectively the first and second conventional cryptosyatems. 
Special cases use the algorithm DES in encryption mode for E" and E" ox decryption mode 
for D' and IP. To obtain a public-key system three devices are lwctl: an encryption 
device (corresponding to the operation E), a decryption device (corresponding to the 
operation D) and a system which generates the public key starting from the secret key 
(corresponding to th« operation (7). Each user of the system generate* a secret key k. He 
obtains his corresponding public key K by applying G on k y or K = G(k). The device G 
is nothing but E" with a snpersecret key a (which in the best case nobody knows). The 
device G is tampcrfrne so that it is hard to find the key $. In this example the snpersecret 
key s is used in all devices G. 

2.2 Two implementations of such a public-key system 

Wc now discuss two implementations to obtain such a public-key HyKtem (see also Fig. 2 
and Fig. 3). 

In the first example (ncc also Fig. 2) the decryption device {D) uses the secret key. 
In fact here D is e^ual to D\ The encryption device {E) uses as a black box the public 
key K. The system E is build up uBing. E* and jD". The box E is tamperfxec. In the 
box E first D n is used to find fc, or Jb = D ff (K) using the supcrsecrct key a. This laat 
calculation is done inside E, and no trace of this calculation and it* result can leak out to 
the outside world. In other words because the device E i« tamperfree iris hard to find k. 
The encryption of messages is done by E* using the key k. 

The described scheme can be used to protect, as a public-key system, the privacy and 
authenticity of messages as well to sign. To protect privacy the sender uses E with the 
public key of the receiver (although the receiver uses D with his secret key). Remark again 
that nevertheless the sender uses in fact the secret key of the sender, he cannot access it. 
To sign the sender uses D with his secret key (evidently redundancy is introduced in the 
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Figure 3: A second implementation of a public-key system 
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Fignte 4: The first identity-based system to protect privacy 
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message). The receiver can check the signature (using the mentioned redundancy). The 
sender is the only oue who could generate that signature. 

The second implementation has the advantage that each user in the system has the 
same tampcrfree device for encryption as well as for decryption. Let us describe Buch a 
system in nomc word*. For this paragraph, we refer tn Fig. 3. Let (T) be the tamperfrce* 
device used in the system. As for the first system, each nset t generates a secret key k; 
and a corresponding public key K;. For that he uses the device G as already discussed. 
The device (T) contains E\ D\ D n and the supersecret key s as described in Fig. 3. To 
send an encrypted message to a user B, a user A uses the device (T) in mode encryption 
and applies his secret key k& to the input z and the public key Kb of the user B to 
the input y. To decrypt this message the user B uses the device (T) in mode decryption 
and applies hia secret key k& to the input z and the public key of the user A to the 
input y. In these two phases, the effective key in use is the same but is unknown to the 
two parties. There are many variants to this scheme with the possibility of a session key, 
a.a.o. Let us remark that using a symmetric cryptosystem {sometimes called conventional 
system) together with such asymmetric implementation (the devices are the flame for the 
encryption and the decryption) leads to an asymmetric cryptosystem {sometimes called 
public-key system). 

3 Iffentity-based cryptosystem 

By modifying a little bit previous examples it lb no longer necessary to use public keys (or 
the public key of somebody is equal to his name or identification). The key generation 
machine G now is modified. The system G now uses D n (with the supersecret key s) and 
the input of G is the name (or a sufficient identification of the person to be unique), the 
output is the secret key of the user (gee also Fig. 4). In order to avoid frauds the uses of 
G arc controlled by an authority. Each user can use G only once, and is only allowed to 
give as input something that corresponds with his identification (birth, day, name of his 
father, name of company, ...). This is a first advantage because it avoids in large networks 
the authentication of the public key. This technique gives a first solution to a problem 
open by Adi Shamir, to propose an identity -based cryptosystem to protect privacy. 

4 Security 

In thin miction only nr.ccHKary conditions in onlrr to obtain n nn:nte implementation arc 
discussed. Sufficient conditions arc still under research. 

The system E" has to be a Becure cryptosystem such that all attacks fail in finding 
* by cryptanolytic methods. Therefore it is necessary that E" \b secure against an 
adaptive chosen text attack. The reader could wonder how an adaptive chosen text attack 
could be set up, certainly if an authority limits the use of the dcvicc-6 (as in the case of 
identity-based cryptosystem). The answer is that the adaptive aspect can be obtained if 
several users (which have e.g. special names) collaborate. 

Evidently the cryptosystems E \ D 1 and have also to be secure cryptosystems. 

Another necessary condition is that the system may not have (or use) weak keys (a 
term introduced by Davies related to weak keys in DES) or similar weaknesses. Using 
a weak key there is no difference between an encryption and a decryption operation. 



Itfdeed an asymmetry is req aired to obtain public-key aya tema. If not, this implies that 
everybody can generate signatures of an opponent using his public key, because E y will 
in fact internally use the secret key of the opponent and for weak key a this E % operation 
is the same as the D } operation. In general in order to protect signatares (with the 
described scheme) it must be hard to generate ontpnts of D 1 starting from outputs of 
So semi-weak keys are also dangerous. The same remark holds for the protection of 
privacy. Otherwise everybody could decrypt message send to Bob, using Bob's public key 
for a similar reason. 

5 Advantages, disadvantages and other aspects 

A major advantage of the discussed systems is the speed. Using DES (and dropping weak 
keys) much faster public-key systems can be made. An important disadvantage of the 
system is that everybody who knows a can attack all users! However in some cases such a 
property is desired (by the authority), as in the case of communications between persons 
of a same company (e.g. a bank). In this context we remark that the key distribution 
problem in some large companies (when a normal conventional system is used), can be 
hard to solve. 

Remark also that in prcvions discussions one can eg. replace the aupctRccrct key *, 
by some necrct function. In the disGiMHctLnxaiupla E\ D\ E" and D n aro public known 
conventional algorithms. It is trivial to understand that the same holds if E\ D\ E" 
and D n are secret. In other words if some organization promotes secret algorithms, key 
distribution centers can be avoided and one can use the described public-key method. 
In&eW in order to maintain the secrecy of the used secret algorithms, the devices must 
be hk least tamperfree. 

^Finally one can question that the described system in really a public-key system. To 
hcIM thiK problem one can uho the well known Turing t™u. Suppose DES and USA are 
u.sekf (to be mathematically correct «. DESes aro used with n different keys), is it then 
posSble to find in polynomial time (as function of n) if DES or USA is used? It is well 
kajbwn that the answer is yes T using the Jacobi symbol in a known plaintext attack. In 
a $cure implementation of RSA and DBS it must be hard to make a difference between 
real random and the riphertext in polynomial time. As a consequence if DES (in, such 
puibiic-key system) and USA are used in a secure implementation, no difference can be 
observed in polynomial time. 

^Remark that to a part of our paper on the importance of good key scheduling schemes 
(li>85, CRYPTO ! 85) t we did not obtain a real public-key system as we do here, moreover, 
aowtje of onr assumptions there arc the opposite of iiomc assumptions here. 

£|t is not too hard to find better schemes which satisfy some desired properties, some 
of these other schemes are still under research. For instance, in the context of tarnperfrec 
devices, it is possible to design claw-free functions with conventional cryptoalgorithms 
and thus to have Ycry fast algorithms to sign documents (Itivcst, Goldwasser, Micali, 
Goldrcich). 

Another advantage is that the above idea of identity-based cryptosystem can be used 
in a protocol in order to protect pasnports. Let us again start from the assamption that 
tarnperfrec devices and that conventional cryptosys tenia exist, where the decryption op- 
eration can not be obtained by applying polynomially the encryption operation. Remark 
tha.t the assumption oftimper&ee devices is also necessary in Shajniz*8 protocol (presented 
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at the same conference). Indeed if an owner of a passport is able to find his corresponding 
secret (the square roots in Shamir's protocol), there is no protection against cloning. For 
very busy businessman or consultants or researchers it can be an important advantage 
to clone themselves, in order that the cloned one handles the public relation and other 
aspects, for which the original persons are too busy. If a difference has to be made be- 
tween the identity of the person and his cloned version, the person himself is not allowed 
to know the secret corresponding with his accrct. So tamperfree devices arc necessary. 

Our identification protocol is very similar to the one of Shamir, except that a different 
type of algorithm is used and that the country that is visited generates the random, Again 
we use the identity-based cryptosystcm to protect signatures. Each country (n.g, Israel) 
distributes to other countries the E devices, containing their Bupcrsccrct a. During use, a 
visitor (e.g. Alice) tells the officials her nationality (e.g. /sraclian) and her identity. The 
country which she visits (e.g. Belgium) then uses the tamperfree device obtained torn 
Israel and the name (identity) of Alice is used aa key by that country (e.g\ Belgium), 
Belgium generates then some random t and gives E(t) to Alice. If Alice knowa her secret 
key (obtained from hex country: Israel), she is able to decrypt it and obtain t, which she 
gives to Belgium. If both match Belgium accepts Alice identity. The disadvantage of 
this system ia that 200 different kinds of machine* are necessary (each for each country). 
The advantage is that each country relies on their own technology to avoid false passports 
made by othsr countries A proof for the Bccnrity of the discussed protocol is still under 
research. 

6 Open Problems 

A main open problem in to It nd an identity - hosed cryptm«y«fcein which prntnets privacy 
and which security is not based on the assumption of the existence of Laitipcrfccc devices. 

Another open problem is to overcome the problem of the anpersccrot key * t mentioned 
in Section G. Doo.a there exist an identity *baned cryptoHyttlniu to protect privacy which 
security is based on tamperfree devices and computational complexity and which use - 
different supersccrct s for different users. In other words that system would remain secure 
if the computational problem ia solved! but the tamperfrnnneHs irt Bi ill valid, or if the 
rovcitjui situation happened. 

The authors have the impression that both mentioned open problems are strongly 
related. 

Remarks 

Other works, more or less related to this one, were made by M. E. Sxnid, H. E, Lcnnon, 
S, M. Matyas and C. H. Meyer, H. Beker and M. Walker. 

Acknowledgement " 
The authors are grateful to Adi Shamir for the discussions related to Section G. 



not shown m the Figure, the dombuat+xxk wavelength of 
the short fewer also shifted ooe node spacing Coward* locuer 
wavelengths relative to the spontaneous cadMoa peak under 
DC operation Just below threshold, proUbry owing to an 
increase in junction temperature. 4 Note that the bufld-ttp time 
of the dominant mode a tigtiificantry (aster in the short-cavity 
and the type-8 ridgp+rrnpiuk lasers than m the typc-A 
device, 

The time-dependent output of these lasers, at discrete wave- 
lengths and in real time; is shown in Rg. 2, where for clarity 
the evolution of four individual shots are shown (clean traces) 
in comparison with several thousand pulses (smeared traces). 
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0 JU1 2762 pm HED 

Fig. 2 Transit* response of (a) type-A standard-length ridge- 
waveguide laser and {b) shori-canty laser 

Both trices of a few thousand scans and lour individual scans are 
shown. The wavelength indicates the spectrometer setting at which 
(he traces were recorded. Type*B ridge-waveguide User behaved 
similarly to the shori-cavity I 
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and A. Tomita for the use o( equipment 
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Note that, for (he type-A ridge-waveguide laser, Fig. 2a, the 
individual pulse of any one mode can start at different times 
and go through different evolution paths. 5 * 4 The secondary 
modes decay while the dominant mode increases lo its steady- 
state value in about 6mA similar display of the output of the 
dominant mode of the type-B or the short-cavity laser is re- 
produced in Fig. 2b, which shows far less puise-to-pulse varia- 
tion. 

We conclude that any laser with genuinely stable single- 
mode output, whether achieved by design or by accident (as, 
for example, by a buried periodic ripple providing wavelength- 
selective feedback), leads to transient behaviour compatible 
with modulation at high bit rates. 

The origin of the intensity fluctuations is the spontaneous 
emission. 1 * 7 '* Even when biased slightly below threshold, the 
number of spontaneous photons at each longitudinal mode 
wavelength is significant,' and the instantaneous spectrum just 
before application of the current step has large fluctuations. 
Subsequent to the arrival of the current step, each mode 
builds up at different rates from these fluctuations until the 
stimulated emission of the dominant mode finally takes over. 
It has been pointed out that, if the side mode initially contains 
significant power, it takes several nanoseconds for it to decay. 
In a short-cavity laser, however, the decay of the side modes Is 
faster, allowing Cuter build-up of the dominant mode. 



FAST DECIPHERMENT ALGORITHM FOR 
RSA PUBUC-KEY CRYPTOSYSTEM 



Indexing term: Codes, Cryptography, hMk-kej crypto- 
system, RSA 



A Cast algorithm is presented for deciphering cryptograms 
involved m the puttie-key cryptosystea proposed by Rivcst, 
Shamir and Adkman. The deciphering method b based on 
the Chinese remainder theorem and oa unproved ssodotar 
muttiplicaaoa algorithms. 



Introduction: Among the published public-key cryptosystcms, 
the scheme proposed by Rivcst, Shamir and Adkman 1 
(usually referred to as the RSA or MIT cryptosystcm) seems to 
be the most attractive for many applications. Its security is 
based on the fact that any known successful cryptanarytic 
attack has the same complexity as the factorisation of a large 
composite number ^ at this time; no very efficient method of 
factoring is known. However, a frequently quoted disadvan- 
tage of the RSA cryptosystcm is the relative time cejeatweatty 
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of in operations (discrete . 
atteg^ as cesspand to eotmarJoaaJ systems such as the 

la das letter t fest algorithm ii presented far deciphering 
cryptograms in the RSA system, which k about 4-1 tines 
thaa the classical algorithm (or computing a modular 
itiitkNL 1 Thai sJgorithm k based oa Che Chinese re- 
r theorem and oa improved modular multipacatioos. 

RSA Mckem: Let an RSA box be a small electronic device 3 the 
memory of which contains two large-prime mowers p and * 
These Bombers have been generated by the RSA box itself and 
are accessible to nobody. The product r « pq has been com- 
puted and a random integer e which k relatively prime with 
both p - 1 and q - I h« been generated too. The RSA box 
has ako precomputed the only integer 4 < r such that 

«f«l(modQ>-lXf-l» 

The enciphering key consists of the pair <*, r>, possibly listed in 
a directory. The deciphering key k the pair (4 r) and k kept 
secret m the RSA box. 

If a user wants to tend a private message M to the owner of 
thk RSA box, he proceeds as follows: 

(i) He retrieves the (public) enciphering key (*, r\ 

(n) He breaks the message M into a sequence of blocks (m t , 
.... Mf 4 mj, where each block k represented as an integer 
mi between 0 and f - 1. 

(Hi) He transmits the cryptograms (c <\, .... c& where 

c, - £(«() « *tf (mod r\ 

:;7Thc RSA box can decipher the cryptograms e t by computing 
Vic) m cftmod r) ~ m,. Hence the message M k recovered by 

* jha owner of the RSA box when the whole sequence (c, 

k J k dec ip hered. 

tfast deciphering algorithm: CUsskally, as the quantities m» r, « 

vtd 4 would be about 500 or 600 bits long, 4 * 4 * 7 the en- 
Icipoering aad the deciphering processes require up to several 

^hundred multiplications of integers of thk length. The en- 
[ jrfpfacring key can be as short as 2 bits, 1 ** but for avoiding 
^attacks by enumeratJve techniques, the deciphering key re- 
, quires the m*™«fn length. However, the deciphering process 

can be expedited. Before describing the last deciphering aigo- 
""rithm, some notations 2 * 9 must be introduced. 
£ j Let us consider the following residues of the quantities «, c 
e and 4: 

□ c, • cfmod p) c 3 - c(mod q) 

0 i,«4modp-l) J, -dtmorff-l) { 
! »* m, m mimod p) - earned p) 
m, m m(mod q) « cf(mod q) 

since the message m and the cryptogram c are related by 
m — c^mod r\ 

Given pand^ t f<g t kt4bea constant integer such that 
0 < A < q - 1 and 4, ■ l(mod q\ Thk constant k obtained 
by applying Euclid's algorithm 11 lor computing god (p, q\ By 
using the Chinese remainder theorem it k easily observed that 



ID 



m m l((m t + q - mjMXmod «)]p + m, 



Hence, to decipher the cryptogram c the algorithm first com- 
putes m t m Mmod p) and m 2 - cftmod 4) rather than com- 
puting m m cimod r) classically. The quantities n, «, c,, c, f a* ( 
and i s are now only about 300 bits long. Thk permits one to 
reduce the time complexity to about a quarter. Moreover the 
two computations may be done in parallel. To recover the 
message m, H remains to compute expr. 1. 

Let us remark that the exponents 4 t and 4 t may be chosen 
to be greater than p - 1 and q - 1; that docs not affect the 
result But if the (binary) weight of the exponent k smaller, 
then the modular exponentiation becomes possibly faster. 




Even so, the most ttmex jmiag part of the < 
le modular expoaexrtietions. A 1 
algorithm far computing P - turned pi k de- 
scribed la the Appendix. Thk algorithm k dlstingnkccd fom 
the daaakal ones. Many sirnpfirV a fin o s are made due to the 
context la which it k i m pl e mented. For ftamptf, the modular 
multiplications by c are reduced to a sequence of table look* 
ups aad accumulations/ Ako the number P k mostly required 
to be at most a - fbg 2 p\ bits long 49 aad not necessarily 
smaller than p. Thk explains that only the most significant bit 
of P, and not the integer P itscK k tested before a possmfc 
reduction of P. So the reductions modulo p are made as few as 
possible. These reductions are ako very simpfmerf by the pre- 
cooputations of the integers Q and JL Fmafly, let us remark 
that thk algorithm does away with the integer division. 



P<Q 



IcOnodqi- 



Tobwt 




Tafaw2 


2q(modp) 




ftjCmodq) 
2*<imodq) 



look-up lab*** 



j ti fmodp) 



<j<modq)~J 



j x 

j^q^)A(rf«dqjp*m|p 



R«.l 

Rg. I k a functional diagram of the deciphering process of 
the RSA cryptosystem, using thk improved modular ex- 
ponentiation algorithm and computing m, » ^'(mod p) and 
m 1 - cl^mod q) in parallel. 

If the lengths of p and q are about 256 bits, then Tables I 
and 2 use 2 x {256? bits = 128 kbits: thk value k within the 
range of current technology. Faster implementation k still 
possible with additional memory of the expressions 
(2** 4 + 2V(«od p) in both Tables. 

We would Hke to mention that Krisfanamurthy and 
Ramachartdran 11 have independently proposed to use the 
Chinese remainder theorem for computing modular ex- 
ponentiations in their conventional cryptosystems. 

Acknowledgments: We would like to thank J.-M. Goethak for 
helpful comments. 

Appendix: Let p be an integer, > l t with exactly n bits, Le. 
n m [logj p]. An *-bit number d k represented as [<f.-i 
d t dd The following algorithm computes the moduUr ex- 
ponentiation. 



906 



MODULAR EXPONENTIATION (c i p): given 

the integers c, 4 and p. where 05c<r, 0si<^ - I, the 
procedure computes the integer P - c^mod pi 0 £ P < p. 

\MM**tom\Q~r -p\P+-\\ 

Step I : for / - « - I 9 n-2,... v 1 

1.1 If F a . i - I mea P *- REDUCTIONfP) 
UP- MODMUUF, P, P) 
1J Ifi,- 1 meaP«- MODMULCXXP. p. table, P>; 
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Asp as «f P.- 1 - I *» f - MDUCHOW); 
if 



The procedural used in the above algorithm can be de- 
scribed aa Wlow*, 

Pi s t cs W i REDUCTION (P); given the n-bit integer F, 
0 £ P < 2*, and the prtcomputed (global variable) integer 
this procedure returns the viiue P(mod p\ 
between 0 and p- 1. 

laWaftatk»:a«-P + Q; 

tfR.-ldseaP^C*......^]; 

Return? 

Procedure MODMUL (x, y. p, P): given the integers x, y and 
p, 0 £ x < p, 0 £ y < 2*, this procedure computes the integer 
><mod p). The integer P is a (n + l)-bit number 
[P« P«- 1 * Pi Po] but as output, P verifies 0 £ P < 2". 

Intimation: R «- Q + x; P 0; 

for/ « n - l,n - 2,..., I 

I. P «- one left shift of P 
1 If m lthesi 

ifP.« ithcnP^CP.., 

3. If P.- 1 then P «- [P. « , 

4. ifP.« i thenP-CP.^ 
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.. P<J + KekeP — P + x 

..Po] + e 

..Po] + G; 



Return? 

Procedure LOOK-UP TABLE (c n, p, table): given the in- 
tegers c, « and pt. 0 £ c < p, this procedure computes the 
sequence c t 2c, 2 a c .... 2"' 'c, each value being stored modulo 
p in a tabic This table is used by MODMULCO. 

leMamvtion: P - c; Uble<0) c; 

for/- 1,2, . #t — I 

1. P «- one left shift of P 
Z if P.- lthenP^-CP.., ...P 0 ] + Q 
1 If P.., « 1 thenP-REDUCTION(P) 
4. tabte(0^P; 

Retnrn 

Procedure MODMULCO (x, p, table, P): given x, 0 £ x < 2", 
p and the ubfe generated by LOOK-UP TABLE for the in- 
teger c this procedure returns the value P » c . xtmod p), 
0 s P < 2*. 

lafttaMsation: P-0; 
for/«ai.2,...,n-l 
If x { - 1 then 
I. P - P + table*/) 

1 If P. - 1 thenP<-[>V 4 ...Po] + <?; 
RetanP 



MEASUREMENT OF POLARISATION 
MOOE DISPERSION IN ELUPT1CAL- 
CORE SINGLE-MODE FIBRES AT 
1*3 -am 



/f^exMp term: Optical fibro, Potmisath* Dispcniom 

Polarisation mode delay diffimoces m three ttagln modf 
fibres were measured uterfcrometneafry at 1*3 mn mth a 
resolution below 25 fit. Polarisation mode dispersion in- 
creases strongly with core eflipociry. 

Introduction: Polarisation mode dispersion may be a Umitmg 
factor in high-capacity ringfe-mode opdcaMbre OTm mission 
systems 1 a that wfl] be operated most wVdy at about 1-3 urn 
wavelength, where the material dispersion hi mmrrrmrn We 
report here on polarisation mode dispersion l ue asui tmcnta 
carried out mterierometrically at 1*3 /cm. This is to comp- 
lement tome related recently published rente" that con- 
centrated on the shorter wavelengths around 045 an. The 
results Olustrate the strong d epen denc e of the pooritation 
mode dhmenkm on the fibre core effipticity. Some special fea- 
tures of our measurement method and set-up resulted m an 
improved resolution of below ± 25 fit delay time dutcrence. 

Me an vtma u set-up: For our measurements we used the m- 
terfoc^nctric method described by Mochizuki rt oi (see Fig. 1 
in their paper 1 ). A temperature subthsed Quaternary semicon- 
ductor laser, model HLD 5400 (Hitachi), courting at 1-300 mn 
was used as optical source Its spectral profile is shown in Fig. 1. 
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1 sjvesr. a. u SHAwta. and aoumam, u: 'A method tor obtaining 
digital signatures and pubuc-key cryptosyiiems , , Commun. ACM, 
1971 1U pp. 120-126 

2 knuth, a t: The art of computer programming, Vol 2; semt- 
numerical slgonthms* (Addtson-WesWy, Reading, Mass. 2nd edn^ 
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^nbt shown in the Figure, the -linant-mode wavelength of 
.-lie short laser also shifted ont vde spacing towards longer 
.v:\velcngths relative to the spontaneous emission peak under 
DC operation just below threshold, probably owing to an 
increase injunction temperature. 4 Note that the build-up time 
of the dominant mode is significantly faster in the short-cavity 
and the type-B ridge-waveguide lasers than in the type-A 
device. 

The time-dependent output of these lasers, at discrete wave- 
lengths and in reaJ time, is shown in Fig. 2, where for clarity 
the evolution of four individual shots are shown (clean traces) 
in comparison with several thousand puists {smeared traces). 




urn 





JU'3229 urn 



X=1- 3249 urn 




Xst-2762 urn 



standard-length ridge- 



Fig. 2 Transient response of (a) lype-A 
waveguide laser and {b) short-cavity laser 

Both traces of a few thousand scans and four individual scans are 
shown. The wavelength indicates the spectrometer setting at which 
the traces were recorded. Type-B ridge-waveguide laser behaved 
similarly to the short-cavity laser 



- - \ t 

We note agai .at the jitter in the equipment was less than 
50 ps. Thus the displayed random fluctuations (partition of the 
optical energy among longitudinal modes as a function of 
time) represent a direct observation of the mode partition 
noise in real time. 

We are indebted to J. A. Copeiand, E A. J. Marcatili and S. 
£. Miller for unpublished information, and to N. K. Cheung 
and A. Tomita for the use of equipment. 
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Note that, for the type-A ridge-waveguide laser. Fig. 2a, the 
individual pulse of any one mode can start at different times 
and go through different evolution paths. 5,5 The secondary 
modes decay while the dominant mode increases to its steady- 
^tate value in about 6 ns. A similar display of the output of the 
dominant mode of the type-B or the short-cavity laser is re- 
produced in Fig. lb. which shows far less pulse-to-pulse varia- 
tion. 

We conclude that any laser with genuinely stable single- 
mode output, whether achieved by design or by accident {as, 
for example, by a buried periodic ripple providing wavelength- 
selective feedback), leads to transient behaviour compatible 
with modulation ac high bit rates. 

The origin of the intensity fluctuations is the spontaneous 
emission. 3,7 "* Even when biased slightly below threshold, the 
number of spontaneous photons at each longitudinal mode 
wavelength is significant," 1 and the instantaneous spectrum just 
before application of the current step has large fluctuations. 
Subsequent to the arrival of the current step, each mode 
builds up at different rates from these fluctuations until the 
stimulated emission of the dominant mode finally takes over, 
(l has been pointed out that, if the side mode initially contains 
significant power, it takes several nanoseconds for it to decay. 
In a short-cavity laser, however, the decay of the side modes is 
faster, allowing faster build-up of the dominant mode. 



FAST DECIPHERMENT ALGORITHM FOR 
RSA PUBLIC-KEY CRYPTOSYSTEM 



Indexing terms: Codes, Cryptography, Public-key crypto* 
system. RSA 

A fast algorithm is presented Tor deciphering cryptograms 
involved in the public-key cxypiosystem proposed by Rivest, 
Shamir and Adleman. The deciphering method is based on 
the Chinese remainder theorem and on improved modular 
multiplication algorithms. 



Introduction: Among the published public-key cryptosystems, 
the scheme proposed by Rivest, Shamir and Adleman 1 
(usually referred to as the RSA or MIT cryptosystem) seems to 
be the most attractive for many applications. Its security is 
based on the fact that any known successful cryptanalytic 
attack has the same complexity as the factorisation of a large 
composite number:** 3 at this time, no very efficient method of 
factoring is known. However, a frequently quoted disadvan- 
tage of the RSA cryptosystem is the relative time complexity 



of its operations (discrete exponentiate., modulo a large 
integer) as compared to conventional svstems such as the 

In this letter a fast algorithm is presented Tor deciphering 
cryptograms in the RSA system, which is about 4-8 limes 
faster than the classical algorithm for computing a modular 
exponentiation. 1 This algorithm is based on the Chinese re- 
mainder theorem and on improved modular multiplications. 

RSA scheme: Let an RSA box be a small electronic device 1 the 
memory of which contains two large prime numbers p and q m 
These numbers have been generated by the RSA box itself and 
are accessible to nobody. The product r » pq has been com- 
puted and a random integer e which is relatively prime with 
both p — 1 and q - 1 has been generated too. The RSA box 
has also precomputed the only integer d < r such that 

eds lfmod (p - 1X<? - 0) 

The enciphering key consists of the pair (c, r), possibly listed in 
a directory. The deciphering key is che pair (d, r) and is kept 
secret in the RSA box. 

If a user wants to send a private message M to the owner of 
this RSA box, he proceeds as follows: 

(i) He retrieves the (public) enciphering key {e, r). 

(ii) He breaks the message M into a sequence nf blocks (m^ 
.... m if .... m k ), where each block is represented as an integer 
m t between 0 and r — 1, 

(iij>He transmits the cryptograms (c lt c, c k ), where 

c ( «if£(m ( -) = mf (mod r). 

TbelRSA box can decipher the cryptograms c, by computing 
D{c%=* c?{mod r) - m ; . Hence the message M is recovered by 

the^6wner of the RSA box when the whole sequence (c, 

c^.\i deciphered. 

Fast deciphering algorithm: Classically, as the quantities m, r t € 
anof c( would be about 500 or 600 bits long.*' 6,7 the en- 
cijiKering and the deciphering processes require up to several 
hundred multiplications of integers of this length. The en- 
ciphering key can be as short as 2 bits, 2 ** but, for avoiding 
attacks by enumerative techniques, the deciphering key re- 
quests the maximum length. However, the deciphering process 
capibe expedited. Before describing the fast deciphering algo- 
ritTa?n, some notations 2,8 must be introduced. 

=Let us consider the following residues of the quantities m, c 
an1£U: 



c t = cfmod p) 



c, = cfmod q) 



d { = d(tnod p — t) dy = d{mod q — 1) 
m x » m(mod p) ~ c^Cmod p) 
m 1 - /?i(mod q) = c^mod q) 

since the message m and the cryptogram c are related by 
m = c^mod r\ 

Given p and q, p < q, let A be a constant integer such that 
0 < A < q — 1 and A p s l(mod q). This constant is obtained 
by applying Euclid's algorithm 2 for computing gcd (p, q). By 
using the Chinese remainder theorem it is easily observed that 
m satisfies 



m « [((m 2 +- q - mJ^Xmod <7)3p + ' n i 



(1) 



Hence, to decipher the cryptogram c, the algorithm first com- 
putes m l rf l (mod p) and m 2 = c^Hmod q) rather than com- 
puting m * nmod r) classically. The quantities p, q t c,, c 2 , <rf, 
and d 2 are now only about 300 bits long. This permits one ro 
reduce the time complexity to about a quarter. Moreover the 
two computations may be done in parallel. To recover the 
message m, it remains to compute expr. 1. 

Let us remark that the exponents d x and d 2 may be chosen 
to be greater than p - 1 and q — I ; that does not affect the 
result. But if the (binary) weight of the exponent is smaller. 



Even 50. the most time-consuming part of the deciphering 
scheme remains the modular exponentiations. A modular ex- 
ponentiation algorithm for computing P » (-'(mod p) is de- 
scribed in I he Appendix. This algorithm is distinguished from 
the classical ones. Many simplifications are made due to the 
context in which it is implemented. For example, the modular 
multiplications by r are reduced to a sequence of table look- 
ups and accumulations.* Also the number P is mostly required 
to be at most n = fIog 2 pi bits fong J0 and not necessarily 
smaller than p. This explains that only the most significant bit 
of P, and not the integer P itself, is tested before a possible 
reduction of P. So the reductions modulo p are made as few as 
possible. These reductions are also very simplified by the pre- 
computations of rhe integers Q and R. Finally, let us remark 
that this algorithm does away with the integer division. 



c(modp) p <q 



e(modq! 



Table 1 




TaWe 2 


2c,Cmodp) 
2^,<(nod p) 

^modp) 




Cj 

2cJ(modq) 
2*cj(rnodq) 
i 







look-up tables 





mod p) 


cjtfmod < 






Cj^rcdq) 






*> 




xW3p)j 


Anodq) 




.1 



ffirr^q-n^lAtmod qfl p*^ 



Fig. I 



Fig. 1 is a functional diagram of the deciphering process of 
the RSA cryptosystem, using this improved modular ex- 
ponentiation algorithm and computing rn, = ci'fmod p) and 
m 2 = c^tmod q) in parallel. 

If the lengths of p and q are about 256 bits, then Tables I 
and 2 use 2 x (256) 2 bits ^ 128 kbits: this value is within the 
range of current technology. Fzsttr implementation is still 
possible with additional memory of the expression* 
(2'" 1 + 2')c(mod p) in both Tabies. - 

We would like to mention that Krishnamurthy and 
Ramachandran 1 1 have independently proposed to use the 
Chinese remainder theorem for computing modular ex- 
ponentiations in their conventional cryptosys terns. 

Acknowledgments: We would like to thank J.-M. Goethals for 
helpful comments. 

Appendix: Let p be an integer. > 1, with exactly n bits*, i.e. 
n [logj p]. An n-bit number d is represented as t 
d x d^. The following algorithm computes the modular ex* 
ponentiation. 

Procedure MODULAR EXPONENTIATION (c, d. r): given 
the integers r, d and p, where 0£c<p ( 05rf<y>-t„ the 
procedure computes the integer P = earned p). 0 < P < p. 



Initialisation: Q 
Step 1 ; for r » n 



I 



l.l if P„. , » I then P - REDUCTION(P) 
t.2 P-MODMUL(P.P.^P) 



Step 2: if /V, - I thenr 1 - REDUC ^N(T); 
Return P 

~ The procedures used in ihe above algorithm can be de- 
scribed as follows. 

Procedure REDUCTION (P): given the »-bit integer P, 
0 £ P < 2", and the precomputed (global variable) integer 
Q 2* - p. this procedure returns the value P(mod p), 
between 0 and p - I. 

Initialisation:/? ♦* P + Q; 

if 1 then ...* 0 ]; 

Return P 

Procedure MODMUL {x, y, p, P): given the integers x t y and 
p. Q £ x < p, 0 £ y < 2\ this procedure computes the integer 
P » .t . ';<mod p). The integer P is a (n + l)-bit number 
[P„ P.- , . . . P, P 0 ] but as output, P verifies 0 £ P < 2\ 

Initialisation: /? <-Q + x; P-0; 

for r » n — I, n — 2, .... ! 

1. P — one left shift of P 

2. if y, = 1 then 

if P„ » I then P - [P.., ... P„] + R eke P - P + x 

3. if P. =* I then P^ [P.., ... P 0 J + S 

4. if P. » I then P-[P,- f ...P 0 ] + C: 

Return P 

procedure LOOK-UP TABLE (c, p, table): given the in- 
tegers r, n and p t 05c</», this procedure computes the 
yj'sequence c, 2c, 2 J c .... 2"" l r, each value being stored modulo 
7f in a table. This table is used by MODMULCO. 

^Initialisation: P c; table(0) c: 

^-for fa 1.2 « — I 

:t 1. P- one left shirt of P 

u 2. ifP.»ItnenP-CP_ l ...P 0 ] + 2 
V 3. if P,,-, — 1 then P - REDUCTION^) 
U 4. tabletf)-/*: 

;K»- ; Return 

Q Procedure MODMULCO (x. p. table. P): given x 0 £ x < 2\ 
Q/? and the table generated by LOOK-UP TABLE for the in- 
teger c, this procedure returns the value P » c . x(mod p), 
0£P<2\ 

Initialisation: P <- 0; 

fori »0. 1,2 n- i 

if .v, =s 1 then 

1. P - P + tablc(0 

2. ifP^ 1 thenP-CP,., ...PJ + Q; 
Return P 

J.-J. QUtSQUATER J7r/i ,4u ?u * /W 

C COUYREUR 
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MEASUREMENT OF POLARISATION 
MODE DISPERSION IN ELLIPTICAL- 
CORE SINGLE-MODE FIBRES AT 
1-3 um 



Indexing terms: Optical fibres* Polarisation, Dispersion 

Polarisation mode delay differences in three single-mode 
fibres were measured imerferometricaily at 1*3 un with a 
resolution below 25 ft. Polarisacioa mode dispersion in- 
creases strongly with core eJlipucity. 

Introduction: Polarisation mode dispersion may be a limiting 
factor in high-capacity single-mode optical-fibre transmission 
systems' ,z that will be operated most likely at about 1-3 pm 
wavelength, where the material dispersion is minimum. We 
report here on polarisation mode dispersion measurements 
carried out interferometrically at 1-3 ^m. This is to comp- 
lement some related recently published results 3,4 that con- 
centrated on the shorter wavelengths around 0-85 ^m. The 
results illustrate the strong dependence of the polarisation 
mode dispersion on the fibre core elJipticity. Some special fea- 
tures of our measurement method and set-up resulted in ah 
improved resolution of below ± 25 fs delay time difference, 

Measurement set-up: For our measurements we used the in- 
terfcrometric method described by Mochizuki et aL (see Fig. I 
in their paper 3 ). A temperature stabilised quaternary semicon- 
ductor laser, model HLD 5400 (Hitachi), emitting at 1-300 
was used as optical source. Its spectral profile is shown in Fig. 1. 
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FIr. 1 Spectral profile of laser diode used (HLD 5400) 

Operating conditions: 28 8 mA, 298 K; centre wavelength; ^ - 
1300*0 nm 
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Preface 



This report is written for people who are interested in implementing modular exponentiation 
based cryptosystems. These include the RSA algorithm, the Diffie-Hellman key exchange 
scheme, the ElGamal algorithm, and the recently proposed Digital Signature Standard (DSS) 
of the National Institute for Standards and Technology. The emphasis of the report is on 
the underlying mathematics, algorithms, and their running time analyses. The report does 
not include any actual code; however, we have selected the algorithms which are particularly 
suitable for microprocessor and signal processor implementations. It is our aim and hope 
that the report will close the gap between the mathematics of the modular exponentiation 
operation and its actual implementation on a general purpose processor. 
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Chapter 1 

The RSA Cryptosystem 

1.1 The RSA Algorithm 

The RSA algorithm was invented by Rivest, Shamir, and Adleman [41]. Let p and q be two 
distinct large random primes. The modulus n is the product of these two primes: n = pq. 
Euler's totient. function of n is given by 

0(n) = (p-l)(?-l) . 

Now, select a number 1 < e < <j>(n) such that 

gcd(e,0(n)) = 1 , 

and compute d with 

d = e~ l mod <j>(n) 

using the extended Euclidean algorithm [19, 31]. Here, e is the public exponent and d is 
the private exponent. Usually one selects a small public exponent, e.g., e = 2 16 -f- 1. The 
modulus n and the public exponent e are published. The value of d and the prime numbers 
p and q are kept secret. Encryption is performed by computing 

C = M e (mod n) , 

where M is the plaintext such that 0 < M < n. The number C is the ciphertext from which 
the plaintext M can be computed using 

M = C d (mod n) . 

The correctness of the RSA algorithm follows from Euler's theorem: Let n and a be positive, 
relatively prime integers. Then 

o^ (n) = 1 (mod n) . • 
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4 The RSA Cryptosystem 

Since we have erf = 1 mod <p(n), i.e., erf — 1 + A'^(n) for some integer A', we can write 

C d = (A/ € ) rf (modn) 
= M ed (modn) 
= M l + K * n) (modn) 
= A/ - (M*W) K (mod n) 
= A/ * 1 (mod n) 

provided that gcd(A/, n) = 1. The exception gcd(A/. n) > 1 can be dealt as follows. Accord- 
ing to Carmichaers theorem 

A/ A(n) = 1 (mod n) 

where A(n) is Carmichaers function which takes a simple form for n =pg, namely, 

X{pq) = gcd(p-l )9 -l) • 

Note that A(n) is always a proper divisor of tf>(n) when n is the product of distinct odd 
primes; in this case A(n) is smaller than <j>(n). Now, the relationship between e and d is 
given by 

M ed = A/ (mod n) if erf = 1 (mod A(n)) . 

Provided that n is a product of distinct primes, the above holds for all A/ T thus dealing with 
the above-mentioned exception gcd(A/, n) > 1 in Euler's theorem. 

As an example, we construct a simple RSA cryptosystem as follows: Pick p = 11 and 
q = 13, and compute 

n = p-q = 11-13 = 143 , 

<j>(n) = (p - 1) * (q - 1) = 10-12 = 120 . 

We can also compute Carmichaers function of n as 

w m , _ (P-I)fa-I) _ 10-12 _ 120 _ 
X{pq > ~ gcd( P -l, 7 -l) - gcd(10, 12) - — - 6 ° " 

The public exponent e is selected such that 1 < e < cf>(n) and 

gcd(e, <f>(n)) = gcd(e, 120) = 1 . 

For example, e = 17 would satisfy this constraint. The private exponent d is computed by 

d — e~ x (mod <f>{n)) 
= 17" 1 (mod 120) 
= 113 

which is computed using the extended Euclidean algorithm, or any other algorithm for 
computing the modular inverse. Thus, the user publishes the public exponent and the 
modulus: (e,n) = (13,143), and keeps the following private: d = 113, p = 11, q = 13. A 
typical encryption/decryption process is executed as follows: 4 



The RSA Cryptosystem 



5 



Plaintext: M = 50 
Encryption: C := M H (mod n) 

C := 50 17 (mod 143) 

C = 85 

Ciphertext: C = 85 
^ Decryption: M := M d (mod rt) 

A/ := 85 113 (mod 143) 
M = 50 

1.2 Exchange of Private Messages 

The public-key directory contains the pairs (e, n) for each user. The users wishing to send 
private messages to one another refer to the directory to obtain these parameters. For 
example, the directory might be arranged as follows: 



User 


Public Keys 


Alice 


{e a ,n a ) 


Bob 


(eb,n b ) 


Cathy 


(e e , n c ) 







The pair n a and e a respectively are the modulus and the public exponent for Alice. As an 
example, we show how Alice sends her private message M to Bob. In our simple protocol 
example Alice executes the following steps: 

1. Alice locates Bob's name in the directory and obtains his public exponent and the 
modulus: (e^n^). 

2. Alice computes C :— M Fmb (mod n^). 

3. Alice sends C to Bob over the network. 

4. Bob receives C. 

5. Bob uses his private exponent and the modulus, and computes M = C dt> (mod n&) 
in order to obtain M. 

1.3 Signing Digital Documents 

The RSA algorithm provides a procedure for signing a digital document, and verifying 
whether the signature is indeed authentic. The signing of a digital document is somewhat 
different from signing a paper document, where the same signature is being produced for all 
paper documents. A digital signature cannot be a constant;* it is a function of the digital 
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document for which it was produced. After the signature (which is just another piece of 
digital data) of a digital document is obtained, it is attached to the document for anyone 
wishing the verify the authenticity of the document and the signature. Here we will briefly 
illustrate the process of signing using the RSA cryptosystem. Suppose Alice wants to sign a 
message, and Bob would like to obtain a proof that this message is indeed signed by Alice. 
First, Alice executes the following steps: 

1. Alice takes the message M and computes 5 = A/ rfa (mod n a ). 

2. Alice makes her message M and the signature S available to any party wishing to 
verify the signature. 

Bob executes the following steps in order to verify Alice's signature 5 on the document M: 

1. Bob obtains M and S, and locates Alice's name in the directory and obtains her public 
exponent and the modulus (e a ,n a ). 

2. Bob computes M' = S e « (mod n a ). 

3. If W = M then the signature is verified. Otherwise, either the original message M or 
the signature S is modified, thus, the signature is not valid. 

We note that the protocol examples given here for illustration purposes only — they are 
simple 'textbook' protocols; in practice, the protocols are somewhat more complicated. For 
example, secret-key cryptographic techniques may also be used for sending private messages. 
Also, signing is applied to messages of arbitrary length. The signature is often computed 
by first computing a hash value of the long message and then signing this hash value. We 
refer the reader to the report [42] and Public Key Cryptography Standards [43] published 
by RSA Data Security, Inc., for answers to certain questions on these issues. 



1.4 Computation of Modular Exponentiation 

Once an RSA cryptosystem is set up, i.e., the modulus and the private and public exponents 
are determined and the public components have been published, the senders as well as the re- 
cipients perform a single operation for signing, verification, encryption, and decryption. The 
RSA algorithm in this respect is one of the simplest cryptosystems. The operation required is 
the computation of M e (mod 7i), i.e., the modular exponentiation. The modular exponen- 
tiation operation is a common operation for scrambling; it is used in several cryptosystems. 
For example, the Diffie-Hellman key exchange scheme requires modular exponentiation [8]. 
Furthermore, the ElGamal signature scheme [13] and the recently proposed Digital Signature 
Standard (DSS) of the National Institute for Standards and Technology [34] also require the 
computation of modular exponentiation. However, we note that the exponentiation process 
in a cryptosystem based on the discrete logarithm problem is slightly different: The base 
(A/) and the modulus (n) are known in advance. This allows some precomputation since 
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powers of the base can be precompiled and saved [6], In the exponentiation process for the 
RSA algorithm, we know the exponent (e) and the modulus (n) in advance but not the base; 
thus, such optimizations are not likely to be applicable. The emphasis of this report is on 
the RSA cryptosystem as the title suggests. 

In the following chapters we will review techniques for implementation of modular ex- 
ponentiation operation on general-purpose computers, e.g., personal computers, micropro- 
cessors, microcontrollers, signal processors, workstations, and mainframe computers. This 
report does not include any actual code; it covers mathematical and algorithmic aspects of 
the software implementations of the RSA algorithm. There also exist hardware structures 
for performing the modular multiplication and exponentiations, for example, see [40, 28, 46, 
15, 24, 25. 26, 50]. A brief review of the hardware implementations can be found in [5]. 
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Chapter 2 

Modular Exponentiation 



2.1 Modular Exponentiation 

The first rule of modular exponentiation is that we do not compute 

C := M c (mod n) 

by first exponentiating 

A/ e 

and then performing a division to obtain the remainder 

C := (M e ) % n . 

The temporary results must be reduced modulo n at each step of the exponentiation. This 
is because the space requirement of the binary number M e is enormous. Assuming, M and 
e have 256 bits each, we need 

iog 2 (M e ) = e ■ log 2 (A/) « 2 256 • 256 = 2 264 « 10 80 

bits in order to store M e . This number is approximately equal to the number of particles 
in the universe [1]; we have no way of storing it. In order to compute the bit capacity of 
all computers in the world, we can make a generous assumption that there are 512 million 
computers, each of which has 512 MBytes of memory. Thus, the total number of bits available 
would be 

512 • 2 20 • 512 • 2 20 • 8 = 2 61 « 10 18 , 
which is only enough to store M e when M and e are 55 bits. 

2.2 Exponentiation 

We raise the following question: How many modular multiplications are needed to compute 
M e mod n ? A naive way of computing C = M e (mod n) is to start with C := M 
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(mod n) and keep performing the modular multiplication operations 

C := C ■ A/ (mod n) 

until C — A/ e (mod n) is obtained. The naive method requires e - 1 modular multiplica- 
tions to compute C := A/ c (mod n), which would be prohibitive for large e. For example, 
if we need to compute A/ 15 (mod n), this method computes all powers of M until 15: 

A/ -> A/ 2 -> A/ 3 -4 A/ 4 -» A/ 5 -> A/ 6 -» A/ 7 -> > A/ 15 

which requires 14 multiplications. However, not all powers of M need to be computed in 
order to obtain A/ 15 . Here is a faster method of computing A/ 15 : 

A/ -> A/ 2 -> M 3 -> A/ G -+ A/ 7 -> A/ 14 -> A/ 15 

which requires 6 multiplications. The method by which A/ 15 is computed is not specific for 
certain exponents; it can be used to compute A/ e for any e. The algorithm is called the 
binary method or square and multiply method, and dates back to antiquity. 



2.3 The Binary Method 

The binary method scans the bits of the exponent either from left to right or from right 
to left. A squaring is performed at each step, and depending on the scanned bit value, a 
subsequent multiplication is performed. We describe the left-to-right binary method below. 
The right-to-left algorithm requires one extra variable to keep the powers of A/. The reader 
is referred to Section 4.6.3 of Knuth's book [19] for more information. Let k be the number 
of bits of e, i.e., fc = 1 + |_log 2 ej , and the binary expansion of e be given by 

fc-i 

e = (ej fc _ 1 ejt_2 • * ■ e^o) = ]T e^ 1 

for e x e {0, 1}. The binary method for computing C = M e (mod n) is given below: 

The Binary Method 

Input: A/, e, n. 

Output: C = A/ c mod n. 

1. if ejb-i = 1 then C := A/ else C := 1 

2. for i = k - 2 downto 0 
2a. C := C-C (mod n) 

2b. if e t = 1 then C := C • A/ (mod n) 

3. return C 



As an example, let e = 250 = (11111010), which implies k = 8. Initially, we take C := M 
since ejt-i = e 7 = 1. The binary method proceeds as follows: • 
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i 


e, 


Step 2a 


Step 2b 


6 


1 


(A/) 2 = M 2 


A/ 2 - M = A-/ 3 


5 


1 


(A/ 3 ) 2 = A/ 6 


A/6 . M = A/ 7 


4 


1 


(A/ 7 ) 2 = A/ 14 


A/ 14 • M = A/ 15 


3 


1 


(A/ 15 ) 2 = A/ 30 


A/ 30 • M = M 31 


2 


0 


(A/ 31 ) 2 = A/ 6 ' 2 


A/ 62 


1 


1 


(A/ 62 ) 2 = A/ 124 


A/ 124 • A/ = A/ 125 


0 


0 


(A/I") 2 = A/ 250 


A/250 



The number of modular multiplications required by the binary method for computing M 250 
is found to be 7 + 5 = 12. For an arbitrary A-bit number e with e*-i — 1, the binary method 
requires: 

• Squarings (Step 2a): k - 1 where k is the number of bits in the binary expansion of e. 

• Multiplications (Step 2b): H{e) - 1 where H{e) is the Hamming weight (the number 
of Is in the binary expansion) of e. 

Assuming e > 0, we have 0 < H(e) - 1 < k - 1. Thus, the total number of multiplications 
is found as: 

Maximum: (Jfc - 1) + (* - 1) = 2{k - 1) , 

Minimum: (A: - 1) + 0 =fc-l, 

Average: (k - 1) + i(* - 1) = §(Ar - 1) , 
where we assume that e*_i = 1. 

2.4 The 77i-ary Method 

The binary method can be generalized by scanning the bits of e 

• 2 at a time: the quaternary method, or 

• 3 at a time: the octal method, etc. 
More generally, 

• log 2 m at a time: the m-ary method. 

The m-ary method is based on m-ary expansion of the exponent. The digits of e are then 
scanned and squarings (powerings) and subsequent multiplications are performed accord- 
ingly. The method was described in Knuth's book [19]. When m is a power of 2, the 
implementation of the m-ary method is rather simple, since- M e is computed by grouping 
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the bits of the binary expansion of the exponent e. Let e = (e^e^ * • -e^o) be the binary 
expansion of the exponent. This representation of e is partitioned into s blocks of length r 
each for sr — k. If r does not divide k, the exponent is padded with at most r — 1 Os. We 
define 

r-l 

Fi = (e ir+r _ 1 e zr+r _2 ■ * * Sir) = £ e ir+ j2 J . 

;=o 

Note that 0 < Fi < m - l and e = 53f=o ^2 ir . The m-ary method first computes the values 
of M w (mod n) for w = 2. 3, . . . ,m — 1. Then the bits of e are scanned r^-bits at a time 
from the most significant to the least significant. At each step the partial result is raised to 
the 2 r power and multiplied y A/ Ki modulo n where is the (nonzero) value of the current 
bit section. 

The m-ary Method 

Input: A/, e, n. 

Output: C = A/ e mod n. 

1. Compute and store M w (mod n) for all w = 2, 3, 4, . . . , m - 1. 

2. Decompose e into r-bit words for i = 0, 1, 2, . . . , s - 1. 

3. C := M F *- X (mod n) 

4. for z = 5 — 2 downto 0 
4a. C := C 2 ' (mod n) 

4b. if Fi £ 0 then C := C • M Fi (mod n) 

5. return C 

2.4.1 The Quaternary Method 

We first consider the quaternary method. Since the bits of e are scanned two at a time, the 
possible digit values are (00) = 0, (01) = 1, (10) = 2, and (11) = 3. The multiplication step 
(Step 4b) may require the values A/ 0 , A/ 1 , A/ 2 , and A/ 3 . Thus, we need to perform some 
preprocessing to obtain A/ 2 and M z . As an example, let e = 250 and partition the bits of e 
in groups of two bits as 

e = 250 = 11 11 10 10 . 

Here, we have 5=4 (the number of groups s — k/r = 8/2 = 4). During the preprocessing 
step, we compute: 



bits 


w 


M w 


00 


0 


1 


01 


1 


M 


10 


2 


M-M = M 2 


11 


3 


M 2 ■ M = M 3 



The quaternary method then assigns C ~ M Fz = A/ 3 (mod n), and proceeds to compute 
A/ 250 (mod n) as follows: 



Modular Exponentiation 



13 



i 


F t 


Step 4a 


Step 4b 


2 


11 


(A/y = 


A/ 12 


A/ 12 • A/ 3 = 


A/ 15 


1 


10 


(A/ 15 ) 4 = 


A/ 60 


A/ 60 • A/ 2 = 


A/ 62 


0 


10 


(A/ 62 ) 4 = 


A/ 248 


A/248 . M 2 = 


: A/ 250 



The number of modular, multiplications required by the quaternary method for computing 
A/ 2o ° (mod n) is found as 2 + 6 + 3 = 1 1. 



2.4.2 The Octal Method 

The octal method partitions the bits of the exponent in groups of 3 bits. For example, 
e = 250 is partitioned as 

e = 250 = Oil 111 010 , 

r- 

by padding a zero to the left, giving s = k/r = 9/3 = 3. During the preprocessing step we 
compute M w (mod n) for all w = 2, 3, 4, 5, 6, 7. 



bits 


w 


M w 


000 


0 


1 






001 


1 


M 






010 


2 


M ■ 


M -- 


= M 2 


011 


3 


A/ 2 


■ M 


= A/ 3 


100 


4 


A/ 3 


■ M 


= A/ 4 


101 


5 


A/ 4 


■ M 


= A/ 5 


110 


6 


A/ 5 


■ M 


= A/ 6 


111 


7 


A/ 6 


■ M 


= A/ 7 



The octal method then assigns C := M Fl = A/ 3 (mod n), and proceeds to compute A/ 250 
(mod n) as follows: 



i 


Fi 


Step 4a 


Step 4b 


1 


111 


(A/ 3 ) 8 = A/ 24 


A/ 24 • M 7 = 


= M 31 


0 


010 


(A/ 31 ) 8 = A/ 248 


A/248 . A/2 


= A/ 250 



The computation of A/ 250 (mod n) by the octal method requires a total of 6 + 6 + 2 = 
14 modular multiplications. However, notice that, even though we have computed M w 
(mod n) for all w = 2, 3, 4, 5, 6, 7. we have not used all of them. Thus, we can slightly 
modify Step 1 of the m-ary method and precompute M w (mod n) for only those w which 
appear in the partitioned binary expansion of e. For example, for e = 250, the partitioned 
bit values are (011) = 3, (111) = 7, and (010) = 2. We can compute these powers using only 
4 multiplications: 
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bits 




M w 


000 


0 


1 


001 


1 


M 


010 


2 


M ■ M = A/ 2 


Oil 


3 


A/ 2 • M = A/ 3 


100 


4 


A/ 3 • A/ = A/ 4 


111 


7 


A/ 4 • A/ 3 = A/ 7 



This gives the total number of multiplications required by the octal method for computing 
(m ° d ^ ^ 4 + 6 + 2 = 12, The method of computing M e (mod n) by precomputing 
M w (mod n) for only those w which appear in the partitioning of the exponent is termed a 
data-dependent or an adaptive algorithm. In the following section, we will explore methods of 
this kind which try to reduce the number of multiplications by making use of the properties 
of the given e. In general, we will probably have to compute M w (mod n) for all w = 
2,3,...,2 r - 1. This will be more of the case when A; is very large. We summarize the 
average number of multiplications and squarings required by the m-ary method assuming 
T - m and £ is an integer. 

• Preprocessing Multiplications (Step 1): m - 2 = T - 2 

• Squarings (Step 4a): (jf - 1) • r = k - r 

• Multiplications (Step 4b): - 1)(1 - X) = (4 _ i)(i _ 2~ r ) 
Thus, in general, the m-ary method requires 

2'-2 + A-r+(£-l) (1-2-) 

multiplications plus squarings on the average. The average number of multiplications for the 
binary method can be found simply by substituting r = 1 and m = 2 in the above, which 
gives f (A: - 1). Also note that there exists an optimal r = r* for each.fc such that the average 
number of multiplications required by the m-ary method is minimum. The optimal values 
of r can be found by enumeration [21]. In the following we tabulate the average values of 
multiplications plus squarings required by the binary method and the m-ary method with 
the optimal values of r. 



k 


binary 


m-ary 


T* 


Savings % 


8 


11 


10 


2 


9.1 


16 


23 


21 


2 


8.6 


32 


47 


43 


2,3 


8.5 


64 


95 


85 


3 


10.5 


128 


191 


167 


3,4 


12.6 


256 


383 


325 


4 


15.1 


512 


767 


635 


5 


17.2 


1024 


1535 


1246 


5 


18.8 


2048 


3071 


2439 


6 


.20.6 
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The asymptotic value of savings offered by the m-ary method is equal to 33 %. In order to 
prove this statement, we compute the limit of the ratio 

2 r -2 + A;-r + (£-l)(l-2- r ) 2/ l-2" r \ 2 
)™ a „ r ^ 3l 1 + 



Ar-foc 



{k - 1) 3 \ r y 3 



2.5 The Adaptive m-ary Methods 

The adaptive methods are those which form their method of computation according to the 
input data. In the case of exponentiation, an adaptive algorithm will modify its structure 
according to the exponent e, once it is supplied. As we have pointed out earlier, the number 
of preprocessing multiplications can be reduced if the partitioned binary expansion of e do 
uot contain all possible bit-section values w. However, there are also adaptive algorithms 
which partition the exponent into a series of zero and nonzero words in order to decrease 
the number multiplications required in Step 4b of the m-ary method. In the following we 
introduce these methods, and give the required number of multiplications and squarings. 

2.5.1 Reducing Preprocessing Multiplications 

We have already briefly introduced this method. Once the binary expansion of the exponent 
is obtained, we partition this number into groups of cubits each. We then precompute and 
obtain M w (mod n) only for those w which appear in the binary expansion. Consider the 
following exponent for k = 16 and d = 4 

1011 0011 0111 1000 

which implies that wc need to compute M w (mod n) for only w = 3, 7, 8, 11. The exponent 
values w = 3, 7, 8, 11 can be sequentially obtained as follows: 



M 2 


= M ■ 


M 


M 3 


= M 2 


• M 


AT 4 


= M 2 


■ M 2 


M 7 


= M 3 


-A/ 4 


M 8 


= A/ 4 


■A/ 4 


A/ 11 


= A/ 8 


■ M 3 



which requires 6 multiplications. The m-ary method that disregards the necessary exponent 
values and computes all of them would require 16 - 2 = 14 preprocessing multiplications. 
The number of multiplications that can be saved is upper-bounded by m - 2 = 2 d - 2, which 
is the case when all partitioned exponent values are equal to 1, e.g., when 



0001 0001 0001 0001 
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This implies that we do not precompute anything, just use M. This happens quite rarely. 
In general, we have to compute M w (mod n) for all w = w 0 , w u . . . , w p -\. If the span of 
the set {u\ | i = 0, 1, . . . , p - 1} is the values 2, 3, . . . , 2 d — 1. then there is no savings. We 
perform 2 d — 2 multiplications and obtain all of these values. However, if the span is a subset 
(especially a small subset) of the values 2, 3, . . . , 2 d — 1, then some savings can be achieved if 
we can compute w; x for i = 0, 1, . . . ,p — 1 using much fewer than 2 d — 2 multiplications. An 
algorithm for computing.any given p exponent values is called a vectorial addition chain, and 
in the case of p = 1, an addition chain. Unfortunately, the problem of obtaining an addition 
chain of minimal length is an NP-complete problem [9], We will elaborate on addition and 
vectorial addition chains in the last section of this chapter. 

2.5.2 The Sliding Window Techniques 

The m-ary method decomposes the bits of the exponent into d-bit words. The probability 
of a word of length d being zero is equal to 2~ d , assuming that the ,0 and 1 bits are produced 
with equal probability. In Step 4b of the m-ary method, we skip a multiplication whenever 
the current word is equal to zero. Thus, as d grows larger, the probability that we have to 
perform a multiplication operation in Step 4a becomes larger. However, the total number of 
multiplications increases as d decreases. The sliding window algorithms provide a compro- 
mise by allowing zero and nonzero words of variable length; this strategy aims to increase 
the average number of zero words, while using relatively large values of d. 

A sliding window exponentiation algorithm first decomposes e into zero and nonzero 
words (windows) Fi of length L(Fi). The number of windows p may not be equal to k/d. 
In general, it is also not required that the length of the windows be equal. We take d to be 
the length of the longest window, i.e., d = max(£(F;)) for i = 0, 1, . . . , k - 1. Furthermore, 
if F{ is a nonzero window, then the least significant bit of Fi must be equal to 1. This is 
because we partition the exponent starting from the least significant bit, and there is no point 
in starting a nonzero window with a zero bit. Consequently, the number of preprocessing 
multiplications (Step 1) are nearly halved, since x w are computed for odd w only. 

The Sliding Window Method 

Input: M^e,n+ 

Output: C = M c (mod n). 

1. Compute and store M w (mod n) for all w = 3, 5, 7, . . . , 2 d — 1. 

2. Decompose e into zero and nonzero windows F x of length L(Fi) 
forx = 0, l,2,...,p- 1. 

3. C:=M Fk -* (modn) 

4. for i = p - 2 downto 0 
4a. C := C 2W (mod n) 

4b. if Fi 0 then C := C • M F > (mod n) 

5. return C 

Two sliding window partitioning strategies have been proposed [19, 4]. These methods differ 



Modular Exponentiation 



17 



in whether the length of a nonzero window must be a constant (= d). or can be variable 
(however, < d). In the following sections, we give algorithmic descriptions of these two 
partitioning strategies. 

2.5.3 Constant Length Nonzero Windows 

The constant length nonzero window (CLNW) partitioning algorithm is due to Knuth [19]. 
The algorithm scans the bits of the exponent from the least significant to the most significant 
At any step, the algorithm is either forming a zero window (ZW) or a nonzero window (NW). 
The algorithm is described below: 

ZW: Check the incoming single bit: if it is a 0 then stay in ZW; else go to NW. 

NW: Stay in NW until all d bits are collected. Then check the incoming single bit: if it is 
a 0 then go to ZW; else go to NW. 

Notice that while in NW, we distinguish between staying in NW and going to NW. The 
former means that we continue to form the same nonzero window, while the latter implies 
the beginning of a new nonzero window. The CLNW partitioning strategy produces zero 
windows of arbitrary length, and nonzero windows of length d. There cannot be two adjacent 
zero windows; they arc necessarily concatenated, however, two nonzero windows may be 
adjacent. For example, for d = 3, we partition e = 3665 = (111001010001) as 

e = 111 00 101 Q 001 . 

The CLNW sliding window algorithm first performs the preprocessing multiplications and 
obtains M w (mod n) for w = 3, 5. 7. 



bits 


w 


M w 


001 


1 


M 






010 


2 


M ■ 


M = 


M 2 


011 


3 


M- 


M 2 -. 


= M 3 


101 


5 


M 3 


■ M' 1 


= M 5 


111 


7 


A/ 5 


■M 2 


— M 7 



The algorithm assigns C = M F * = A/ 7 (mod n), and then proceeds to compute Af 3665 
(mod n) as follows: 



i 


Fi 


W) 


Step 4a 


Step 4b 


3 


00 


2 


(M 7 ) 4 = M 2S 


A/ 28 


2 


101 


3 


(A/ 28 ) 8 = M 22i 


A/ 224 • A/ 5 = M 229 


1 


0 


1 


(A/ 229 ) 2 = A/ 458 


M 458 


0 


001 


3 


(A/ 458 ) 8 = A/ 3664 


A/ 3664 ; M = A/ 3665 
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Thus, a total of 4 + 9 + 2 = 15 modular multiplications are performed. The average number 
of multiplications can be found by modeling the partitioning process as a Markov chain. The 
details of this analysis are given in [23]. In following table, we tabulate the average number 
of multiplications for the m-ary and the CLNVV sliding window methods. The column for the 
m-ary method contains the optimal values d m for each k. As expected, there exists an optimal 
value of d for each Jfc for the CLNW sliding window algorithm. These optimal values are also 
included in the table. The last column of the table contains the percentage difference in the 
average number of multiplications. The CLNW partitioning strategy reduces the average 
number of multiplications by 3-7 % for 128 < A: < 2048. The overhead of the partitioning is 
negligible; the number of bit operations required to obtain the partitioning is proportional 
to k. 



k 


m-ary 


CLNVV 


(T-r,)/T 


d' 


T 


d' 


Ti 


% 


128 


4 


168 


4 


156 


7.14 


256 


4 


326 


5 


308 


5.52 


512 


5 


636 


5 


607 


4.56 


768 


5 


941 


6 


903 


4.04 


1024 


5 


1247 


6 


1195 


4.17 


1280 


6 


1546 


6 


1488 


3.75 


1536 


6 


1844 


6 


1780 


3.47 


1792 


6 


2142 


7 


2072 


3.27 


2048 


6 


2440 


7 


2360 


3.28 



2.5.4 Variable Length Nonzero Windows 

The CLNW partitioning strategy starts a nonzero window when a 1 is encountered. Although 
the incoming d-1 bits may all be zero, the algorithm continues to append them to the current 
nonzero window. For example, for d = 3, the exponent e = (111001010001) was partitioned 
as 

e = lii 00 101 0 001 . 

However, if we allow variable length nonzero windows, we can partition this number as 

e = 111 00 101 000 1 ■ 

We will show that this strategy further decreases the average number of nonzero windows. 
The variable length nonzero window (VLN'W) partitioning strategy was proposed by Bos and 
Coster in [4]. The strategy requires that during the formation of a nonzero window (NW), 
we switch to ZW when the remaining bits are all zero. The VLNW partitioning strategy has 
two integer parameters: 



• d : maximum nonzero window length, 
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• q : minimum number of zeros required to switch to ZW. 
The algorithm proceeds as follows: 

ZW: Check the incoming single bit: if it is zero then stay in ZW; else go to NW. 

NW: Check the incoming q bits: if they arc all zero then go to ZW; else stay in NW. Let 
d-lq + r + l where 1 < r < q. Stay in NW until Iq + 1 bits are received. At the last 
step, the number of incoming bits will be equal to r. If these r bits are all zero then go 
to ZW; else stay in NW. After all d bits are collected, check the incoming single bit: if 
it is zero then go to ZW; else go to NW. 

The VLNW partitioning produces nonzero windows which start with a 1 and end with a 1. 
Two nonzero windows may be adjacent; however, the one in the least significant position 
will necessarily have d bits. Two zero windows will not be adjacent since they will be 
concatenated. For example, let d = 5 and q = 2, then 5 = 1 + 1-2 + 2, thus / = 1 and r = 2. 
The following illustrates the partitioning of a long exponent according to these parameters: 

ioi o liioi oo loi loin oooooo l oo in ooo ion . 

Also, let d = 10 and q = 4, which implies I = 2 and r = 1. A partitioning example is 
illustrated below: 

iQiioii oooo n oooo 11110111 oo niiiioior oooo 11011 . 

In order to compute the average number of multiplications, the VLNW partitioning process, 
like the CLNW process, can be modeled using a Markov chain. This analysis was performed 
in [23], arid the average number of multiplications have been calculated for 128 <k< 2048. 
In the following table, we tabulate these values together with the optimal values of d and q, 
and compare them to those of the m-ary method. Experiments indicate that the best values 
of q are between 1 and 3 for 128 < k < 2048 and 4 < d < 8. The VLNW algorithm requires 
5-8 % fewer multiplications than the m-ary method. 





m-ary 


VLNW 




* 


d' 


T/k 


d* 


9 = 1 


T 2 /k 
9 = 2 


q = 3 


for q* 

% 


128 


4 


1.305 


4 


1.204 


1.203 


1.228 


7.82 


256 


4 


1.270 


4 


1.184 


1.185 


1.212 


6.77 


512 


5 


1.241 


5 


1.163 


1.175 


1.162 


6.37 


768 


5 


1.225 


5 


1.155 


1.167 


1.154 


5.80 


1024 


5 


1.217 


6 


1.148 


1.146 


1.157 


5.83 


1280 


6 


1.207 


6 


1.142 


1.140 


1.152 


5.55 


1536 


6 


1.200 


6 


1.138 


1.136 


1.148 


5.33 


1792 


6 


1.195 


C 


1.136 


1.134 


1.146 


5.10 


2048 


6 


1.191 


6 


1.134 


1.132 


1.144 


4.95 
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The sliding window algorithms are easy to program, introducing negligible overhead. The 
reduction in terms of the number of multiplications is notable, for example, for n = 512, the 
m-ary method requires 636 multiplications whereas the CLNW and VLNW sliding window 
algorithms require 607 and 595 multiplications, respectively. In Figure 2.1, we plot the scaled 
average number of multiplications T/fc, i.e., the average number of multiplications T divided 
by the total number of bits k, for the m-ary and the sliding window algorithms as a function 
of n= 128,256, ...,204S. 
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Figure 2.1: The values of Tjk for the m-ary and the sliding window algorithms. 

2.6 The Factor Method 

The factor method is given by Knuth [19]. It is based on factorization of the exponent e = rs 
where r is the smallest prime factor of e and 5 > 1. We compute M e by first computing M T 
and then raising this value to the 5th power: 

C y = M r , 

C 2 = C[ = M rs = M e . 

If e is prime, then we first compute M e ~ l then multiply this quantity by M. The algorithm 
is recursive, e.g., in order to compute M r , we factor r = r x * t<i such that t\ is the smallest 
prime factor of r and r 2 > 1. This process continues until the exponent value required is 
equal to 2. As an example, we illustrate the computation of M e for e ~ 55 = 5 • 11 in the 
following: 
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Compute: M -> A/ 2 -> A/ 4 -» A/ 5 

Assign: a := A/ 5 

Compute: a -> a 2 

Assign: 6 := a 2 

Compute: b h 2 -> b* b 5 

Compute: 6 5 -> 6' 5 a = A/ 55 

The factor method requires 8 multiplications for computing A/ 55 . The binary method, on 
the other hand, requires 9 multiplications since e = 55 = (110111) implies 5 squarings (Step 
2a) and 4 multiplications (Step 2b). 

Unfortunately, the factor method requires factorization of the exponent, which would be 
very difficult for large numbers. However, this method could still be of use for the RSA 
cryptosystem whenever the exponent value is small. It may also be useful if the exponent is 
constructed carefully, i.e., in a way to allow easy factorization. 

2.7 The Power Tree Method 

The power tree method is also due to Knuth [19]. This algorithm constructs a tree according 
to a heuristic. The nodes of the tree are labeled with positive integers starting from 1. The 
root of the tree receives 1. Suppose that the tree is constructed down to the Jfcth level. 
Consider the node e of the A:th level, from left to right. Construct the (k + l)st level by 
attaching below node e the nodes 

e + a\ y e + a 2 , e + a 3) . . . ,e + a k 

where a ll a 2 ,a 3 , . . . ,a k is the path from the root of the tree to e. (Note: d = 1 and a k = e.) 
In this process, we discard any duplicates that have already appeared in the tree. The power 
tree down to 5 levels is given in Figure 2.2. 




11 13 15 20 19 24 17 J2 



Figure 2.2: The Power Tree . 
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In order to compute M e , we locate e in the power tree. The sequence of exponents that 
occur in the computation of A/ e is found on the path from the root to e. For example, the 
computation of /V/ 18 requires 5 multiplications: 

M -> A/ 2 -> A/ 3 -> A/ 6 -» M 9 -> A/ 18 

For certain exponent values of e, the power tree method requires fewer number of multipli- 
cations, e.g., the computation of A/ 23 by the power tree method requires 6 multiplications: 

A/ -> A/ 2 -> A/ 3 _> A/ 5 -> A/ 10 -> A/ 13 -* A/ 23 

However, since 23 = (10111), the binary method requires 4 + 3 = 7 multiplications: 

M ~> A/ 2 -> M 4 -> M 5 -+ M 10 ~> A/ 11 -* A/ 22 -> A/ 23 
Also, since 23 - 1 = 22 = 2 ■ 11, the factor method requires 1 + 5 + 1 = 7 multiplications: 

M -> A/ 2 -> M 4 — > M 8 -> M 16 -> A/ 20 -* M 22 -> A/ 23 

Knuth gives another variation of the power tree heuristics in Problem 6 in page 463 [19], The 
power tree method is also applicable for small exponents since the tree needs to be "saved". 

2-8 Addition Chains 

Consider a sequence of integers 

Go, ai, 02, . . . , a r 

with a 0 = 1 and a r = e. If the sequence is constructed in such a way that for all k there 
exist indices i,j < k such that 

Gjt = at + dj , 

then the sequence is an addition chain for e. The length of the chain is equal to r. An 
addition chain for a given exponent e is an algorithm for computing Af e . We start with M l , 
and proceed to compute M ak using the two previously computed values M ai and M a > as 
A/ a * = A/ a ' • A/ a J . The number of multiplications required is equal to r which is the length of 
the addition chain. The algorithms we have so far introduced, namely, the binary method, 
the m-ary method, the sliding window method, the factor and the power tree methods are 
in fact methods of generating addition chains for the given exponent value e. Consider for 
example e = 55, the addition chains generated by some of these algorithms are given below: 



binary: 


1 


2 


3 


6 


12 


13 


26 


27 


54 


55 


quaternary: 


1 


2 


3 


6 


12 


13 


26 


52 


55 




octal: 


1 


2 


3 


4 


5 


6 


7 


12 


24 


48 


factor: 


1 


2 


4 


5 


10 


20 


40 


50 


55 




power tree: 


1 


2 


3 


5 


10 


11 


22 


44 


55 





Modular Exponentiation 



23 



Given the positive integer e, the computation of the shortest addition chain for e is estab- 
lished to be an NP-complete problem [9]. This implies that we have to compute all possible 
chains leading to e in order to obtain the shortest one. However, since the first introduc- 
tion of the shortest addition chain problem by Scholz [19] in 1937, several properties of the 
addition chains have been established: 

• The upper bound on the length of the shortest addition chain for e is equal to: |_log 2 ej + 
H(e) - 1 where H(e) is the Hamming weight of e. This follows from the binary 
method- In the worst case, we can use the binary method to compute M e using at 
most [log 2 ej + H(e) - 1 multiplications. 

• The lower bound was established by Schonhage [44]: log 2 e + Iog 2 H(e) - 2.13. Thus, 
no addition chain for e can be shorter than log 2 e + log 2 H(e) - 2.13. 

The previously given algorithms for computing M e are all heuristics for generating short 
addition chains. We call these algorithms heuristics because they do not guarantee min- 
imality. Statistical methods, such as simulated annealing, can be used to produce short 
addition chains for certain exponents. Certain heuristics for obtaining short addition chains 
are discussed in [4, 52]. 

2.9 Vectorial Addition Chains 

Another related problem (which we have briefly mentioned in Section 2.5.1) is the gener- 
ation of vectorial addition chains. A vectorial addition chain of a given vector of integer 
components is the list of vectors with the following properties: 

• The initial vectors are the unit vectors [1, 0, ... , 0], [0, 1, 0, . . . , 0], . . . , [0, . . . , 0, 1]. 

• Each vector is the sum of two earlier vectors. 

• The last vector is equal to the given vector. 

For example, given the vector [7, 15, 23], we obtain a vectorial addition chain as 
[1,0,0] 

[0,1,0] [0,1,1] [1,1,1] [0,1,2] [1,2,3] [1,3,5] [2,4,6] [3,7,11] [4,8,12] [7,15,23] 
[0,0,1] 

which is of length 9. Short vectorial addition chains can be used to efficiently compute M Wi 
for several integers w x . This problem arises in conjunction with reducing the preprocessing 
multiplications in adaptive m-ary methods and as well as in the sliding window technique 
(refer to Section 2.5). If the exponent values appear in the partitioning of the binary ex- 
pansion of e are just 7, 15, and 23, then the above vectorial addition chain can be used for 
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obtaining these exponent values. This is achieved by noting a one-to-one correspondence be- 
tween the addition sequences and the vectorial addition chains. This result was established 
by Olivos [35] who proved that the complexity of the computation of the multinomial 

is the same as the simultaneous computation of the monomials 

An addition sequence is simply an addition chain where the i requested numbers ni, n 2j . . . , 
occur somewhere in the chain [53]. Using the Olivos algorithm, we convert the above vectorial 
addition chain to the addition sequence with the requested numbers 7, 15, and 23 as 

1 2 3 4 7 8 15 23 

which is of length 7. In general an addition sequence of length r and i requested numbers 
can be converted to a vectorial addition sequence of length r + i — 1 with dimension i. 

2.10 Recoding Methods 

In this section we discuss exponentiation algorithms which are intrinsically different from the 
ones we have so far studied. The property of these algorithms is that they require the inverse 
of M modulo n in order to efficiently compute M e (mod n). It is established that k — 1 
is a lower bound for the number of squaring operations required for computing M e where 
k is the number of bits in e. However, it is possible to reduce the number of consequent 
multiplications using a recoding of the the exponent [17, 33, 11, 21]. The recoding techniques 
use the identity 

2 i+J_1 + 2' +i ~ 2 + • • • + T = 2 £+j - 2 1 ' 

to collapse a block of Is in order to obtain a sparse representation of the exponent. Thus, 
a redundant signed-digit representation of the exponent using the digits {0, 1, —1} will be 
obtained. For example, (011110) can be recoded as 

(011110) = 2 4 + 2 3 +2 2 + 2 1 
(1000 10) = 2 5 - 2 1 . 

Once a recoding of the exponent is obtained, we can use the binary method (or, the m-ary 
method) to compute M e (mod n) provided that M~ l (mod n) is supplied along with M. 
For example, the recoding binary method is given below: 

The Recoding Binary Method 

Input: M, A/ -1 ,e,n. 
Output: C = M e mod n. 
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0. Obtain a signed digit representation / of e. 
1- if f k = 1 then C := M else C := 1 

2. for i = A: - 1 downto 0 
2a. C:=C-C (mod n) 

2b. if fi = 1 then C := C ■ M (mod n) 

else if /i = 1 then C :=C • A/ -1 (mod n) 

3. return C 

Note that even though the number of bits of e is equal to k, the number of bits in the 
the recoded exponent / can be k + 1, for example, (111) is recoded as (1001). Thus, the 
recoding binary algorithm starts from the bit position k in order to compute A/ e (mod n) 
by computing M } (mod n) where / is the (k + l)-bit recoded exponent such that / = e. 
We give an example of exponentiation using the recoding binary method. Let e = 119 = 
(1110111). The (nonrecoding) binary method requires 6 + 5 = 11 multiplications in order to 
compute A/ 119 (mod n). In the recoding binary method, we first obtain a sparse signed- 
digit representation of 1 19. We will shortly introduce techniques for obtaining such recodings. 
For now, it is easy to verify the following: 

Exponent: 119 = 01110111 , 
Recoded Exponent: 119 = 10001001 . 

The recoding binary method then computes A/ 113 (mod n) as follows: 



/, 


Step 2a 


Step 2b 


1 

0 
0 
0 

1 

0 
0 

1 


M 

(M) 2 = M 2 
(A/ 2 ) 2 = M 4 
(A/ 4 ) 2 = A/ 8 
(A/ 8 ) 2 = A/ 16 
(A/ 15 ) 2 = A/ 30 
(A/ 30 ) 2 = A/ 60 
(A/ 60 ) 2 = A/ 120 


M 
A/ 2 
A/ 4 
A/ 8 

A/ 16 • A/~ l = A/ 15 

A/ 30 

A/ 60 

A/ 120 • A/" 1 = A/ 119 



The number of squarings plus multiplications is equal to 7 + 2 = 9 which is 2 less than that 
of the binary method. The number of squaring operations required by the recoding binary 
method can be at most 1 more than that of the binary method. The number of subsequent 
multiplications, on the other hand, can be significantly less. This is simply equal to the 
number of nonzero digits of the recoded exponent. In the following we describe algorithms 
for obtaining a sparse signed-digit exponent. These algorithms have been used to obtain 
efficient multiplication algorithms. It is well-known that the shift-add type of multiplication 
algorithms perform a shift operation for every bit of the multiplier; an addition is performed 
if the current bit of the multiplier is equal to 1, otherwise, no operation is performed, and the 
algorithm proceeds to the next bit. Thus, the number of addition operations can be' reduced 
if we obtain a sparse signed-digit representation of the multipjier. We perform no operation 
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if the current multiplier bit is equal to 0, an addition if it is equal to 1, and a subtraction 
if the current bit is equal to L These techniques are applicable to exponentiation, where 
we replace addition by multiplication and subtraction by division, or multiplication with the 
inverse. 

2.10.1 The Booth Algorithm and Modified Schemes 

The Booth algorithm [3] scans the bits of the binary number e = (e k -ie k - 2 * eie 0 ) from 
right to left, and obtains the digits of the recoded number / using the following truth table: 



e, 




fi 


0 


0 


0 


0 


1 


1 


1 


0 


1 


1 


1 


0 



To obtain / 0 , we take e_i = 0. For example, the recoding of e = (111001111) is obtained as 

111001111 
1001010001 

which is more sparse than the ordinary .exponent. However, , the Booth algorithm has a 
shortcoming: The repeated sequences of (01) are recoded as repated sequences of (11). 
Thus, the resulting number may be much less sparse: The worst case occurs for a number 
of the form e = (101010101), giving 

101010101 
1111111111 

We are much better off not recoding this exponent. Another problem, which is related to this 
one, with the Bpoth algorithm is that when two trails of ones are separated by a zero, the 
Booth algorithm does not combine them even though they can be combined. For example, 
the number e = (11101111) is recoded as 

11101111 
100110001 

even though a more sparse recoding exists: 

100110001 
lOOOlOOOl 

since (11) = —2 + 1 = —1 = (01). In order to circumvent these shortcomings of the Booth 
algorithm, several modifications have been proposed [51, 16, 29]. These algorithms scan 
several bits at a time, and attempt to avoid introducing unnecessary nonzero digits to the 
recoded number. All of these algorithms which are designed for multiplication are applicable 
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for exponentiation. Running time analyses of some of these modified Booth algorithms in the 
context of modular exponentiation have been performed [33, 21]. For example, the modified 
Booth scheme given in [21] scans the bits of the exponent four bits at a time sharing one bit 
with the previous and two bits with the next case: 





ei 




ei-2 


h 


0 


0 


0 


0 


0 


0 


"0 


0 


1 


0 


0 


0 


1 


0 


0 


0 


0 


1 


1 


1 


0 


1 


0 


0 


1 


0 


1 


0 


1 


1 


0 


1 


1 


0 


0 


0 


1 


1 


1 


0 





e,-i 


ei-2 


fi 


1 0 


0 


0 


0 


1 0 


0 


1 


0 


1 0 


1 


0 


0 


1 0 


1 


1 


1 


1 1 


0 


0 


1 


1 1 


0 


1 


1 


1 1 


1 


0 


0 


1 1 


1 


1 


0 



This technique recodes the number in such a way that the isolated Is stay untouched. Also 
0110 is recoded as 1010 and any trail of Is of length i > 3 is recoded as 10 ■••01. We 
have shown that the binary method requires § (k - 1) squarings plus multiplications on the 
average. The recoding binary method requires significantly fewer multiplications, and the 
number of squarings is increased by at most 1. In order to count the average number of 
consequent multiplications, we calculate the probability of the signed-digit value being equal 
to nonzero, i.e., 1 or I. For the above recoding scheme, an analysis has been performed 
in [21]. The recoding binary method using the recoding strategy given in the able requires 
a total of y(Jfc - 1) squarings plus multiplications. The average asymptotic savings in the 
number of squarings plus multiplications is equal to 

\2 8/ 2 12 

The average number of multiplications plus squarings are tabulated in the following table: 



k 


binary 


recoding 


8 


11 


10 


16 


23 


21 


32 


47 


43 


64 


95 


87 


128 


191 


175 


256 


383 


351 


512 


767 


703 


1024 


1535 


1407 


2048 


3071 


2815 



2.10.2 The Canonical Recoding Algorithm 

In a signed-digit number with radix 2, three symbols {1,0,1} are allowed for the digit 
set, in which 1 in bit position i represents -i~2 i and I in bit position i represents -2 l . A 



28 



Modular Exponentiation 



minimal signed-digit vector / = (AA-i"7i/o) that contains no adjacent nonzero digits 
(i.e. /i/t-i = 0 for 0 < i < k) is called a canonical signed-digit vector. If the binary 
expansion of E is viewed as padded with an initial zero, then it can be proved that there 
exists a unique canonical signed-digit vector for e [38]. The canonical recoding algorithm 
[38, 16, 29] computes the signed-digit number 

/ = (AA-i/jb-2---/o) 

starting from the least significant digit. We set the auxiliary variable Co = 0 and examine the 
binary expansion of e two bits at a time. The canonically recoded digit f { and the next value 
of the auxiliary binary variable c t+1 for i = 0, 1, 2, . . . , n are computed using the following 
truth table. 



Ci 




Ci 


Ci+l fi 


0 


0 


0 


0 


0 


0 


0 


1 


0 


1 


0 


1 


0 


0 


0 


0 


1 


1 


1 


1 


1 


0 


0 


0 


1 


1 


0 


1 


1 


0 


1 


1 


0 


1 


1 


1 


1 


1 


1 


0 



As an example, when e = 3038, i.e., 

e = (0101111011110) = 2 11 + 2 9 + 2 8 + 2 7 + 2 6 + 2 4 + 2 3 + 2 2 + 2 1 , 

we compute the canonical signed-digit vector / as 

/ = (1010000100010) = 2 l2 -2 l0 -2 5 -2 l . 

Note that in this example the exponent e contains 9 nonzero bits while its canonically 
recoded version contains only 4 nonzero digits. Consequently, the binary method requires 
11 + 8 = 19 multiplications to compute A/ 3038 when applied to the binary expansion of E, 
but only 12 + 3 = 15 multiplications when applied to the canonical signed-digit vector /, 
provided that M~ x (mod n) is also supplied. The canonical signed-digit vector / is optimal 
in the sense that it has the minimum number of nonzero digits among all signed-digit vectors 
representing the same number. For example, the following signed-digit number for e = 3038 
produced by the original Booth recoding algorithm contains 5 nonzero digits instead of 4: 

/ = (0110001100010) = 2 u + 2 l0 - 2 6 + 2 5 - 2 1 . 

Certain variations of the Booth algorithm also produce recodings which are suboptimal in 
terms of the number of zero digits of the recoding. For example, the first of the two algo- 
rithms given in [33] replaces the occurrences of 01 a 0 by 10 a " l -T0, and consequently recodes 
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(01111011110) as (lOOOllOOOTO). Since (Tl) = (01), the optimal recoding is (lOOOOTOOOlO). 
The second algorithm in [33] recodes (01111011110) correctly but is suboptimal on binary 
numbers in which two trails of Is are separated by (010). For example (0111101011110) is 
recoded as (lOOOTOHOOOTO), which can be made more sparse by using the identity (Toil) = 
(10T). We note that Reitwiesner's canonical recoding algorithm has none of these shortcom- 
ings; the recoding / it produces is provably the optimal signed-digit number [38]. 

It has been observed -that when the exponent is recoded using the canonical bit recoding 
technique then the average number of multiplications for large k can be reduced to |fc + 
0(1) provided that A/" 1 is supplied along with A/. This is proved in [11] by using formal 
languages to model the Markovian nature of the generation of canonically recoded signed- 
digit numbers from binary numbers and counting the average number of nonzero bits. The 
average asymptotical savings in the number of squarings plus multiplications is equal to 




The average number of squarings plus multiplications are tabulated in the following table: 



k 


binary 


canonical 


8 


11 


11 


16 


23 


22 


32 


47 


43 


64 


95 


86 


128 


191 


170 


256 


383 


342 


512 


767 


683 


1024 


1535 


1366 


2048 


3071 


2731 



2.10.3 The Canonical Recoding m-ary Method 

The recoding binary methods can be generalized to their respective recoding m-ary coun- 
terparts. Once the digits of the exponent are recoded, we scan them more than one bit at 
a time. In fact, more sophisticated techniques, such as the sliding window technique can 
also be used to compute M e (mod n) once the recoding of the exponent e is obtained. 
Since the partitioned exponent values are allowed to be negative numbers as well, during 
the preprocessing step M w for certain w < 0 may be computed. This is easily accomplished 
by computing (M~ l ) w (mod n) because M~ l (mod n) is assumed to be supplied along 
with M. One hopes that these sophisticated algorithms someday will become useful. The 
main obstacle in using them in the RSA cryptosystem seems to be that the time required 
for the computation of M~ l (mod n) exceeds the time gained by the use of the recoding 
technique. 

An analysis of the canonical recoding m-ary method has been performed in [12]. It is 
shown that the average number of squarings plus multiplications for the recoding binary 
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(d = 1), the recoding quaternary (d = 2), and the recoding octal {d = 3) methods are equal 
to 

T r (fc, 1) = | * - £ , T r (*, 2) = i * - \ , r r (* f 3) = § * + g t 

respectively. In comparison, the standard binary, quaternary, and octal methods respectively 
require 

multiplications in the average. Furthermore, the average number of squarings plus multipli- 
cations for the canonical recoding ra-ary method for m = 2 d is equal to 

T r {k, d) = k - d + (l - [2" +2 + (-D d+1 ] - 3 • 

For large k and fixed cZ, the behavior of T r (k, d) and T s (k,d) of the standard m-ary method 
is governed by the coefficient of k. In the following table we compare the values T r {k,d)/k 
and T s (k,d)/k for large k. 



d = 10g 2 TTi 


1 


2 


3 


4 . 


5 


6 


7 


8 


T 3 (k,d)/k 


1.5000 


1.3750 


1.2917 


1.2344 


1.1938 


1.1641 


1.1417 


1.1245 


T r {k,d)/k 


1.3333 


1.3333 


1.2778 


1.2292 


1.1917 


1.1632 


1.1414 


1.1244 



We can compute directly from the expressions that for constant d 

T r {Kd) {d+l)2 d -\ 
k^T s {k,d) (d + l)2 rf -l * 

However, it is interesting to note that if we consider the optimal values d s and d T of d (which 
depend on k) which minimize the average number of multiplications required by the standard 
and the recoded m-ary methods, respectively, then 

Tr(k,d r ) 
Z(k,ds) 

for large k. It is shown in [12] that 

T r (k,d r ) ^ l + £ 
T s {Kd s ) ~ l + i 

for large fc, which implies T r (fc,d r ) > T s {k,d s ). Exact values of d s and d r for a given A: can 
be obtained by enumeration. These optimal values of d s and d T are given in the following 
table together with the corresponding values of T s and T T for each k = 128, 256, . . . , 2048. 
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k 


d s 




d T 


T r (Mr) 


128 


4 


168 


3 


168 


256 


4 


326 


4 


328 


512 


5 


636 


4 


643 


1024 


5 


1247 


5 


1255 


2048 


6 


2440 


6 


2458 



In the following figure, we plot the average number of multiplications required by the stan- 
dard and canonical recoding m-ary methods as a function of d and k. 




Figure 2,3: The standard versus recoding m-ary methods. 

This figure and the previous analysis suggest that the recoding m-ary method may not be as 
useful as the straightforward m-ary method. A discussion of the usefulness of the recoding 
exponentiation techniques is found in the following section. 

2.10.4 Recoding Methods for Cryptographic Algorithms 

The recoding exponentiation methods can perhaps be useful if M~ l can be supplied without 
too much extra cost. Even though the inverse M~ x (mod n) can easily be computed using 
the extended Euclidean algorithm, the cost of this computation far exceeds the time gained 
by the use of the recoding technique in exponentiation. Thus, at this time the recoding 
techniques do not seem to be particularly applicable to the. RSA cryptosystem. In some 
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contexts, where the plaintext M as well as its inverse A/" 1 modulo n are available for some 
reason, these algorithms can be quite useful since they offer significant savings in terms of 
the number multiplications, especially in the binary case. For example, the recoding binary 
method requires 1.33/c multiplications while the nonrecoding binary method requires 1.5A: 
multiplications. Also, Kaliski [18] has recently shown that if one computes the Montgomery 
inverse instead of the inverse, certain savings can be achieved by making use of the right- 
shifting binary algorithm. Thus. Kaliski T s approach can be utilized for fast computation of 
the inverse, which opens up new avenues in speeding modular exponentiation computations 
using the recoding techniques. 

On the other hand, the recoding techniques are shown to be useful for computations on 
elliptic curves over finite fields since in this case the inverse is available at no additional 
cost (33, 20]. In this context,' one computes e • M where e is a large integer and M is a 
point on the elliptic curve. The multiplication operator is determined by the group law of 
the elliptic curve. An algorithm for computing M e is easily converted to an algorithm for 
computing e • M, where we replace multiplication by addition and division (multiplication 
with the inverse) by subtraction. 



Chapter 3 
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The modular exponentiation algorithms perform modular squaring and multiplication oper- 
ations at each step of the exponentiation. In order to compute M e (mod n) we need to 
implement a modular multiplication routine. In this section we will study algorithms for 
computing 

R := a ■ b (mod n) , 

where a, 6, and n are £-bit integers. Since k is often more than 256, we need to build 
data structures in order to deal with these large numbers. Assuming the word-size of the 
computer is w (usually w = 16 or 32), we break the fc-bit number into s words such that 
(5 — l)w < k < sw. The temporary results may take longer than s words, and thus, they 
need to be accommodated as well. 

3.1 Modular Multiplication 

In this report, we consider the following three methods for computing of R = a - b (mod n). 

• Multiply and then Reduce: 

First Multiply t :— a-b. Here t is a 2A:-bit or 2s-word number. 

Then Reduce: R ~ t mod n. The result u is a fc-bit or 5-word number. 

The reduction is accomplished by dividing t by n, however, we are not interested in 
the quotient; we only need the remainder. The steps of the division algorithm can be 
somewhat simplified in order to speed up the process. 

• Blakley's method: 

The multiplication steps are interleaved with the reduction steps. 

• Montgomery's method: 

This algorithm rearranges the residue class modulo n, ajid uses modulo 2 j arithmetic. 
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34 Modular Multiplication 

3.2 Standard Multiplication Algorithm 

Let a and b be two 5-digit (5-word) numbers expressed ia radix IV as: 

s-l 

a = (a s _iOs_*2 * * * Go) = X! a »^ 1 ' 

6 - (6 J . 1 6,. 2 -.-6 0 ) = E6 i W i , 

j=o 

where the digits of a and b are in the range [0, W — 1]. In general W can be any positive 
number. For computer implementations, we often select W = 2 W where w is the word-size 
of the computer, e.g., w = 32. The standard (pencil-and-paper) algorithm for multiplying 
a and b produces the partial products by multiplying a digit of the multiplier (b) by the 
entire number a, and then summing these partial products to obtain the final number 2s- 
word number t. Let 2^ denote the (Carry,Sum) pair produced from the product a* * by For 
example, when W — 10, and a t - = 7 and bj = 8, then = (5,6). The pairs can be 
arranged in a table as 

fl 3 G 2 fl i #o 
X 63 6 2 ^1 fy) 

f *03 £02 toi ioo 

*13 *12 *11 *10 

*22 *21 *20 

+ ^33 *32 *3l *30 

ty t$ t$ t+ £3 £2 *0 

The last row denotes the total sum of the partial products, and represents the product as an 
25-word number. The standard algorithm for multiplication essentially performs the above 
digit-by-digit multiplications and additions. In order to save space, a single partial product 
variable t is being used. The initial value of the partial product is equal to zero; we then 
take a digit of b and multiply by the entire number a, and add it to the partial product t. 
The partial product variable t contains the final product a • b at the end of the computation. 
The standard algorithm for computing the product a * b is given below: 

The Standard Multiplication Algorithm 

Input: a,b 
Output: t = a ' b 

0. Initially U := 0 for all i = 0, 1, . . . , 25 - 1. 

1. for i = 0 to $ — 1 

2. C ~ 0 

3. for j = 0 to 5 - 1 

4. (C, S) := + a r b x + C 

5. ti+j := S 

6. ti+ s := C 

7. return (£25-1*25-2 * - *to) 
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In the following, we show the steps of the computation of a ■ b = 348 ■ 857 using the standard 
algorithm. 



i 


3 


Step 


(C,S) 


Partial t 


0 


0 


to + dobo + C 


(0,*) 


000000 






0 + 8-7 + 0 


(5,6) 


000006 




1 


ty + a L 6 0 + C 










0 + 4-7 + 5 


(3,3) 


000036 




2 


*2 + fl2&0 + C 










0 + 3-7 + 3 


(2,4) 


000436 


002436 


1 


0 


ti + dobi + C 


(0,*) 








3 + 8-5 + 0 


(4,3) 


002436 




1 


t 2 + aibi + C 










4 + 4-5 + 4 


(2,8) 


002836 




2 


h + a 2 b x + C 










2 + 3-5 + 2 


(1,9) 


009836 


019836 


2 


0 


t2 + a^bn + C 


(0,*) 








8 + 8. • 8 + 0 


(7,2) 


019236 




1 


t3 + 0162 + C 










9 + 4-8 + 7 


(4,8) 


018236 




2 


£ 4 + a 2 £>2 + C 










1 + 3-8 + 4 


(2,9) 


098236 



298236 



In order to implement this algorithm, we need to be able to execute Step 4: 

(C,S) :=t t + 3 + aj-b t + C , 

where the variables t i+jl a v b u C, and S each hold a single-word, or a W-bit number. This 
step is termed as an inner-product operation which is common in many of the arithmetic 
and number-theoretic calculations. The inner-produce operation above requires that we 
multiply two W-bit numbers and add this product to previous 'carry' which is also a PV-bit 
number and then add this result to the running partial product word ti+j. From these three 
operations we obtain a 2 W-bit number since the maximum value is 

2 W - 1 + (2 W - 1)(2 V ^ - 1) + 2 W - 1 = 2 2W - 1 . 

Also, since the inner-product step is within the innermost loop, it needs to run as fast 
as possible. Of course, the best thing is to have a single microprocessor instruction for 
this computation; unfortunately, none of the currently available microprocessors and signal 
processors offers such a luxury. A brief inspection of the steps of this algorithm reveals that 
the total number of inner-product steps is equal to s 2 . Since s = k/w and w is a constant on a 
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given computer, the standard multiplication algorithm requires 0(k' 2 ) bit operations in order 
to multiply two A;-bit numbers. This algorithm is asymptotically slower than the Karatsuba 
algorithm and the FFT-based algorithm which are to be studied next. However, it is simpler 
to implement and. for small numbers, gives better performance than these asymptotically 
faster algorithms. 

3-3 Karatsuba- Ofman Algorithm 

We now describe a recursive algorithm which requires asymptotically fewer than 0(k 2 ) bit 
operations to multiply two A*-bit numbers. The algorithm was introduced by two Russian 
mathematicians Karatsuba and Ofman in 1962. The details of the Karatsuba-Ofman al- 
gorithm can be found in Knuth's book [19]. The following is a brief explanation of the 
algorithm. First, decompose a and b into two equal-size parts: 

a ;= 2 h a\ + a 0 , 
b := 2% + 6 0 , 

i.e., aj is higher order h bits of a and a 0 is the lower h bits of a, assuming k is even and 
2k = k. Since we will be worried only about the asymptotics of the algorithm, let us assume 
that A: is a power of 2. The algorithm breaks the multiplication of a and b into multiplication 
of the parts a 0 , a t) b 0l and b\. Since 

t :— a • b 

:= {2 k a x + a 0 ){2 h b x + b*) 

:= 2 2/t (a l 6 1 ) + 2 h {a x b 0 + a Q b x ) + a Q 6 Q 

:= 2 2h t 2 + 2 h t { + t 0 , 

the multiplication of two 2/i-bit numbers seems to require the multiplication of four h-bit 
numbers. .This formulation yields a recursive algorithm which we will call the standard 
recursive multiplication algorithm (SRMA). 

function SRMA(a, b) 
t 0 SRMA(a 0 ,M 
t 2 := SRMA(ai,6i) 
u Q := SRMA(a 0) 6i) 
tz, := SRMA(ai,6o) 
t\ := Uo + Ui 

return (2 2h t 2 + 2 h t x + t Q ) 

Let T(k) denote the number of bit operations required to multiply two k-bit numbers. Then 
the standard recursive multiplication algorithm implies that 
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where ak denotes the number of bit operations required to compute the addition and shift 
operations in the above algorithm (a is a constant). Solving this recursion with the initial 
condition T(l) = 1, we find that the standard recursive multiplication algorithm requires 
0(k 2 ) bit operations to multiply two Ar-bit numbers. 

The Karatsuba-Ofman algorithm is based on the following observation that, in fact, three 
half-size multiplications suffice to achieve the same purpose: 



to 

tl 



~ a 0 ■ b 0 , 

= (go + a x ) • (b Q + bi) - t 0 - h = gq * b x + a x • b 0 



This yields the Karatsuba-Ofman recursive multiplication algorithm (KORMA) which 
illustrated below: 



is 



function KORMA(a, 6) 

t 0 : = KORMA(a 0 ,£> 0 ) 

t 2 : = KORMA(a 1 ,6 l ) 

u 0 := KORMA(a! -f a 0 , b { + b Q ) 

t\ := uq — t 0 — t 2 

return {2 2 H 2 + 2% + t Q ) 

Let T(k) denote the number of bit operations required to multiply two Jfc-bit numbers using 
the Karatsuba-Ofman algorithm. Then, 

T(k) = 2T(~) + T{~ + 1) + 0k* 3T(|) + 0k . 

Similarly, 0k represents the r contribution of the addition, subtraction, and shift operations 
required in the recursive Karatsuba-Ofman algorithm. Using the initial condition T(l) = 1, 
we solve this recursion and obtain that the Karatsuba-Ofman algorithm requires 

0(A lo *» 3 ) = 0(fc l * M ) 

bit operations in order to multiply two Ar-bit numbers. Thus, the Karatsuba-Ofman algorithm 
is asymptotically faster than the standard (recursive as well as nonrecursive) algorithm which 
requires 0(k 2 ) bit operations. However, due to the recursive nature of the algorithm, there 
is some overhead involved. For this reason, Karatsuba-Ofman algorithm starts paying off as 
k gets larger. Current implementations indicate that after about k = 250, it starts being 
faster than the standard nonrecursive multiplication algorithm. Also note that since a 0 + ai 
is one bit larger, thus, -some implementation difficulties may arise. However, we also have 
the option of stopping at any point during the recursion. For example, we may apply one 
level of recursion and then compute the required three multiplications using the standard 
nonrecursive multiplication algorithm. 
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3.4 FFT-based Multiplication Algorithm 

The fastest multiplication algorithms use the fast Fourier transform. Although the fast 
Fourier transform was originally developed for convolution of sequences, which amounts to 
multiplication of polynomials, it can also he used for multiplication of long integers. In the 
standard algorithm, the integers are represented by the familiar positional notation. This is 
equivalent to polynomials to be evaluated at the radix; for example, 348 = 3x 2 + 4x + 8 at 
x = 10. Similarly, 857 = 8x 2 + ox + 7 at x = 10. In order to multiply 348 by 857, we can 
first multiply the polynomials 

(3x 2 + 4x + 8)(8x 2 + 5x + 7) = 24x 4 4- 47x 3 + 105x 2 4- 68x + 56 , 

then evaluate the resulting polynomial 

24(10) 4 + 47(10) 3 + 105(10) 2 + 68(10) + 56 = 298236 

at 10 to obtain the product 348 • 857 = 298236. Therefore, if we can multiply polynomials 
quickly, then we can multiply large integers quickly. In order to multiply two polynomials, we 
utilize the discrete Fourier transform. This is achieved by evaluating these polynomials at the 
roots of unity, then multiplying these values pointwise, and finally interpolating these values 
to obtain the coefficients of the product polynomial. The fast Fourier transform algorithm 
allows us to evaluate a given polynomial of degree 5 — 1 at the s roots of unity using O(slogs) 
arithmetic operations. Similarly, the interpolation step is performed in O(slogs) time. 

A polynomial is determined by its coefficients. Moreover, there exists a unique polynomial 
of degree s - 1 which 'visits' 5 points on the plane provided that the axes of these points 
are distinct. These s pairs of points can also be used to uniquely represent the polynomial 
of degree s — 1. Let A(x) be a polynomial of degree I - 1, i.e., 

A(x) = • 

Also, let to be the primitive /th root of unity. Then the fast Fourier transform algorithm 
can be used to evaluate this polynomial at {l,o;,u> 2 , . . . ,u/ -1 } using O(l\ogl) arithmetic 
operations [31]. In other words, the fast Fourier transform algorithm computes the matrix 
vector product 



r l 




' 1 1 ■ 


1 




r a, i 


A(u) 




1 w • 


■ • a;'" 1 










. 1 J- 1 ■ 






. 4-i . 



in order to obtain the polynomial values A(u l ) for i = 0, 1, — 1. These polynomial values 
also uniquely define the polynomial A(x). Given these polynomial values, the coefficients A{ 
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for i = 0, 1, . . . , I - 1 can be obtained by the use of the 'inverse' Fourier transform: 



A(l) 



where and u~ l are the inverses of I and u>, respectively. The polynomial multiplication 
algorithm utilizes these subroutines. Let the polynomials a(x) and b(x) 



r a 0 - 




" i i 


1 1 






= r 1 


1 uT l • 












. -4/-! . 




. l u-i'-v . 







5-1 

a{x) = a i xi » b ( x ) = I] ^ 

t=0 :=0 



J-l 



denote the multiprecision numbers a = (a 5 _ia 3 _ 2 • ■ -a 0 ) 6 = (65-163-2 • • • 60) represented in 
radix W where a { and 6* are the 'digits' with the property 0 < a M ^ < W- 1. Let the integer 
I = 25 be a power of 2. Given the primitive Ith root of unity w, the following algorithm 
computes the product t = (i i _ 1 i(_ 2 ■ * • i 0 )- 

FFT-based Integer Multiplication Algorithm 

Step 1. Evaluate a(u { ) and 6(a/) for i = 0, 1, . . . ,i - 1 by calling the fast Fourier transform 
procedure. 

Step 2. Multiply pointwise to obtain 

{all)^!),^^),...,^^- 1 ^- 1 )} . 



Step 3. Interpolate t(x) = E-'Jt.a;' by evaluating 

2=0 

on {l,^" 1 , . . . using the fast Fourier transform procedure. 

Step 4. Return the coefficients <i_2i - - - 1 *o)- 



The above fast integer multiplication algorithm works over an arbitrary field in which 
l~ l and a primitive Ith root of unity exist. Here, the most important question is which 
field to use. The fast Fourier transform was originally developed for the field of complex 
numbers in which the familiar Ith root of unity e 2irj/l makes this field the natural choice (here, 
3 — However, there are computational difficulties in the use of complex numbers. 

Since computers can only perform finite precision arithmetic, we may not be able perform 
arithmetic with quantities such as e 2irj ^ because these numbers may be irrational. 
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In 1971, Pollard [36] showed that any field can be used provided that l~ l and a primitive 
/th root of unity are available. We are especially interested in finite fields, since our computers 
perform finite precision arithmetic. The field of choice is the Galois field of p elements where 
p is a prime and I divides p— 1. This is due to the theorem which states that if p be prime and 
/ divides p- 1, then l~ l is in GF{p) and GF{p) has a primitive 1th root of unity. Fortunately, 
such primes p are not hard to find. Primes of the form 2\? + 1, where s is odd, have been 
listed in books, e.g, in [39]. Their primitive roots are readily located by successively testing. 
There exist an abundance of primes in the arithmetic progression 2 r s + 1, and primitive 
roots make up more than 3 out of every tt 2 elements in the range from 2 to p — 1 [31 , 7]. 
For example, there are approximately 180 primes p = 2 r $ + 1 < 2 31 with r > 20. Any such 
prime can be used to compute the fast Fourier transform of size 2 20 [31]. Their primitive 
roots may also be found in a reasonable amount of time. The following list are the 10 largest 
primes of the form p = 2 r s + 1 < 2 31 - 1 with r > 20 and their least primitive roots a. 



V 


r 


a 


2130706433 


24 


3 


2114977793 


20 


3 


2113929217 


25 


5 


2099249153 


21 


3 


2095054849 


21 


11 


2088763393 


23 


5 


2077229057 


20 


3 


2070937601 


20 


6 


2047868929 


20 


13 


2035286017 


20 


10 



The primite Zth root of unity can easily be computed from a using a^ 7 "* 1 "'. Thus, mod 
p FFT computations are viable. There are many Fourier primes, i.e., primes p for which 
FFTs in modulo p arithmetic exist. Moreover, there exists a reasonably efficient algorithm 
for determining such primes along with their primitive elements [31]. From these primitive 
elements, the required primitive roots of unity can be efficiently computed. This method 
for multiplication of long integers using the fast Fourier transform over finite fields was 
discovered by Schonhage and Strassen [45]. It is described in detail by Knuth [19]. A careful- 
analysis of the algorithm shows that the product of two fc-bit numbers can be performed 
using 0(k log Jt log log k) bit operations. However, the constant in front of the order function 
is high. The break-even point is much higher than that of Karatsuba-Ofman algorithm. It 
starts paying off for numbers with several thousand bits. Thus, they are not very suitable 
for performing RSA operations. 

3-5 Squaring is Easier 

Squaring is an easier operation than multiplication since half of the single-precision multi- 
plications can be skipped. This is due to the fact that t{ 3 = <V- aj — tji. 
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£23 
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h2 








~J~ £33 £23 


<13 


*03 












2^03 


2£o2 




£00 




2*13 


2*12 


hi 







2*23 *22 
+ *33 

*7 *6 *5 <4 <3 *2 *l *0 

Thus, we can modify the standard multiplication procedure to take advantage of this property 
of the squaring operation. 

The Standard Squaring Algorithm 

Input: a 

Output: t = a • a 

0. Initially U := 0 for all % = 0, 1, . . . , 2s - 1. 

1. for i = 0 to s — 1 

2 - (C, S) := t i+i + en ■ a 

3. for j = i + l to s — 1 

4 - (C, 5) := U+j + 2- aj - ai + C 

5. t i+j := 5 

6- * i+J := C 

7. return (< 2s -ii 2j -2-- *o) 

However, we warn the reader that the carry-sum pair produced by operation 

(C,S) := t i+j + 2-aj-a t + C 
in Step 4 may be 1 bit longer than a single-precision number which requires w bits. Since 
(2 W - 1) + 2(2" - 1)(2 W - 1) + (2"" - 1) = 2 2 " +1 - 2 U ' +1 

and 

2 2w — 1 < 2 2w+l — < 2 2u,+1 — 1 

the carry-sum pair requires 2w + 1 bits instead of 2w bits for its representation. Thus, we 
need to accommodate this 'extra' bit during the execution of the operations in Steps 4, 5, 
and 6. The resolution of this carry may depend on the way the carry bits are handled' by 
the particular processor's architecture. This issue, being rather implementation-dependent, 
will not be discussed here. 
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3.6 Computation of the Remainder 

The mulciply-and-rcducc modular multiplication algorithm first computes the product a • b 
(or, a • a) using one of the multiplication algorithms given above. The multiplication step is 
then followed by a division algorithm in order to compute the remainder. However, as we 
have noted in Section 3.1, we are not interested in the quotient; we only need the remainder. 
Therefore, the steps of the division algorithm can somewhat be simplified in order to speed up 
the process. The reduction step can be achieved by making one of the well-known sequential 
division algorithms. In the following sections, we describe the restoring and the nonrestoring 
division algorithms for computing the remainder of t when divided by n. 

Division is the most complex of the four basic arithmetic operations. First of all, it has 
two results: the quotient and the remainder. Given a dividend t and a divisor n, a quotient 
Q and a remainder R have to be calculated in order to satisfy 

t = Q-n + R with R < n . 

If t and n are positive t then the quotient Q and the remainder R will be positive. The 
sequential division algorithm successively shifts and subtracts n from t until a remainder 
R with the property 0 < R < n is found. However, after a subtraction .we may obtain a 
negative remainder. The restoring arid nonrestoring algorithms take different actions when 
a negative remainder is obtained. 

3.6.1 Restoring Division Algorithm 

Let R x be the remainder obtained during the ith step of the division algorithm. Since we 
are not interested in the quotient, we ignore the generation of the bits of the quotient in the 
following algorithm. The procedure given below first left-aligns the operands t and n. Since 
t is 2/c-bit number and n is a Ar-bit number, the left alignment implies that n is shifted k 
bits to the left, i.e., we start with 2 k n. Furthermore, the initial value of R is taken to be t, 
i.e., Rq = t. We then subtract the shifted n from t to obtain J?i ; if Ri is positive or zero, we 
continue to the next step. If it is negative the remainder is restored to its previous value. 

The Restoring Division Algorithm 

Input; £, n 

Output: R = a mod n 

1. i? 0 ~t 

2. n := 2 k n 

3. for i = 1 to k 

4. R l :=R l „ l -n 

5. if R t < 0 then R x := R t . t 

6. n:=n/2 

7. return Rk 
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In Step 5 of the algorithm, we. check the sign of the remainder; if it is negative, the previous 
remainder is taken to be the new remainder, i.e. ; a restore operation is performed. If the 
remainder R^ is positive, it remains as the new remainder, i.e., we do not restore. The 
restoring division algorithm performs k subtractions in order to reduce the 2A:-bit number 
t modulo the fc-bit number n. Thus, it takes much longer than the standard multiplication 
algorithm which requires s = k/w inner-product steps, where w is the word-size of the 
computer. 

In the following, we give an example of the restoring division algorithm for computing 
3019 mod 53, where 3019 = (101 11100101 1) 2 and 53 = (110101) 2 . The result is 51 = 
(110011) 2 . 
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restore 
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Also, before subtracting, we may check if the most significant bit of the remainder is 1. In 
this case, we perform a subtraction. If it is zero, there is no need to subtract since n > R t . 
We shift n until it is aligned with a nonzero most significant bit of Ri. This way wc are able 
to skip several subtract/restore cycles. In the average, fc/2 subtractions are performed. 

3,6.2 Nonrestoring Division Algorithm 

The nonrestoring division algorithm allows a negative remainder. In order to correct the 
remainder, a subtraction or an addition is performed during the next cycle, depending on 
the whether the sign of the remainder is positive or negative, respectively. This is based on 
the following observation: Suppose Ri = R t . i - n < 0, then the restoring algorithm assigns 
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R % := /? t _i and performs a subtraction with the shifted n, obtaining 

Ri+i = Ri - n/2 = lU-i - n/2 . 

However, if Ri = - n < 0, then one can instead let Ri remain negative and add the 
shifted n in the following cycle. Thus, one obtains 

fli+i = Rx + n/2 = (R t - X - n) + n/2 = - n/2 , 

which would be the same value. The steps of the nonrcstoring algorithm, which implements 
this observation, are given below: 

The Nonrestoring Division Algorithm 

Input: t x n 

Output: R = t mod n 

1. Ro := t 

2. n := 2*n 

3. for i = 1 to A: 

4. if /? t _i > 0 then R t : = ft.t - n 

5. else i?t := 4- n 

6. n := n/2 

7. if R k < 0 then i? := R + n 

8. return R^ 

Note that the nonrestoring division algorithm requires a final restoration cycle in which a 
negative remainder is corrected by adding the last value of n back to it. In the following we 
compute 51 = 3019 mod 53 using the nonrestoring division algorithm. Since the remainder 
is allowed to stay negative, we use 2's complement coding to represent such numbers. 
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3.7 Blakley's Method 



Blakley's method [2, 47] directly computes a -6 mod a by interleaving the shift-add steps of 
the multiplication and the shift-subtract steps of the division. Since the division algorithm 
proceeds bit-by-bit, the steps of the multiplication algorithm must also follow this process. 
This implies that we use a bit-by-bit multiplication algorithm rather than a word-by-word 
multiplication algorithm- which would be much quicker. However, the bit-by-bit multiplica- 
tion algorithms can be made run faster by employing bit-recoding techniques. Furthermore, 
the m-ary segmentation of the operands and canonical recoding of the multiplier allows much 
Faster implementations [27]. In the following we describe the steps of Blakley's algorithm. 
Let a, and 6j represent the bits of the &-bit numbers a and 6, respectively. Then, the product 
£ which is a 2A:-bit number can be written as 



Blakley's algorithm is based on the above formulation of the product however, at each 
step, we perform a reduction in order to make sure that the remainder is less than n. The 
reduction step may involve several subtractions. 



At Step 3, the partial remainder is shifted one bit to the right and the product a^^b 
is added to the result. This is a step of the right-to-left multiplication algorithm. Let us 
assume that 0<a, 6, i2<n — 1. Then the new R will be in the range 0 < R < 3n - 3 since 
Step 3 of the algorithm implies 



i.e., at most 2 subtractions will be needed to bring the new R to the range [0,n — 1]. Thus, 
Step 4 of the algorithm can be expanded as: 




The Blakley Algorithm 

Input; a,6,n 

Output: R = a • 6 mod n 



1. R:=0 

2. for i = 0 to k - 1 

3. R := 2R 4- a k -i-i * b 

4. R := R. mod n 

5. return R 



R:=2R + a r b< 2(n - 1) + (n - 1) = 3n - 3 



4.1 
4.2 



U R>n then R:= R-n 
If R> n then R:= R-n 



This algorithm computes the remainder R in k steps, where at each step one left shift, 
one addition, and at most two subtractions are performed; the operands involved in these 
computations are A;-bit binary numbers. 
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3.8 Montgomery's Method 

la 1985, P. L. Montgomery introduced an efficient algorithm [32] for computing R = a • 
b mod n where a, 6, and n are A;-bit binary numbers. The algorithm is particularly suitable for 
implementation on general-purpose computers (signal processors or microprocessors) which 
are capable of performing fast arithmetic modulo a power of 2. The Montgomery reduction 
algorithm computes the- resulting A;-bit number R without performing a division by the 
modulus n. Via an ingenious representation of the residue class modulo n, this algorithm 
replaces division by n operation with division by a power of 2. This operation is easily 
accomplished on a computer since the numbers are represented in binary form. Assuming 
the modulus n is a fc-bit number, i.e., < n < 2 fc , let r be 2 k . The Montgomery reduction 
algorithm requires that r and n be relatively prime, i.e., gcd(r,n) = gcd(2 fc ,n) = 1. This 
requirement is satisfied if n is odd. In the following we summarize the basic idea behind the 
Montgomery reduction algorithm. 

Given an integer a < n, we define its n-rcsidue with respect to r as 

a = a • r mod n . 

It is straightforward to show that the set 

{ i * t mod n\0<i<n — 1} 

is a complete residue system, i.e., it contains all numbers between 0 and n — 1. Thus, there is 
a one-to-one correspondence between the numbers in the range 0 and n— 1 and the numbers 
in the above set. The Montgomery reduction algorithm exploits this property by introducing 
a much faster multiplication routine which computes the n-residue of the product of the two 
integers whose n-residues are given. Given two n-residues a and 6, the Montgomery product 
is defined as the n-residue 

R = a -b ■ r~ l mod n 
where r~ l is the inverse of r modulo n, i.e., it is the number with the property 

r~ l . r = 1 mod n . 

The resulting number R is indeed the n-residue of the product 

R~ a - b mod n 

since 

R — a * b - r~ l mod n 

= a • r * b * r ■ r" 1 mod n 
= a • h - r mod n . 
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In order to describe the Montgomery redaction algorithm, we need an additional quantity, 
n'j which is the integer with the property 

r * r" 1 — n • n' = 1 . 

The integers r~ l and n! can both be computed by the extended Euclidean algorithm [19]. 
The Montgomery product algorithm, which computes 

il = a • b • r~ l (mod n) 

given a and 6, is given below: 

function MonPro(d, b) 
Step L t ~ a • b 
Step 2. m :— t • n' mod r 
Step 3. t2 := (t + m * n)/r 
Step 4. if u > n then return u — n 
else return u 

The most important feature of the Montgomery product algorithm is that the operations 
involved are multiplications modulo r and divisions by r, both of which are intrinsically fast 
operations since r is a power 2. The MonPro algorithm can be used to compute the product 
of a and b modulo n, provided that n is odd. 

function ModMul(a, b,n) { n is an odd number } 

Step 1. Compute n' using the extended Euclidean algorithm. 

Step 2. a := a • r mod n 

Step 3. b := b - r mod n 

Step 4. x := MonPro(fi,6) 

Step 5. x := MonPro(x, 1) 

Step 6. return x 

A better algorithm can be given by observing the property 

MonPro(S ) b) = (a • r) • b • r~ A = a - b (mod n) , 

which modifies the above algorithm as 

function ModMul(a, b, n) { n is an odd number } 

Step 1. Compute n' using the extended Euclidean algorithm. 

Step 2. a := a - r mod n 

Step 3. z := MonPro(fi,6) 

Step 4. return x 

However, the preprocessing operations, especially the computation of n\ are rather time- 
consuming. Thus, it is not a good idea to use the Montgomery product computation algo- 
rithm when a single modular multiplication is to be performed.. 
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3.8.1 Montgomery Exponentiation 

The Montgomery product algorithm is more suitable when several modular multiplications 
with respect to the same modulus are needed. Such is the case when one needs to compute a 
modular exponentiation, i.e.. the computation of M e mod n. Using one of the addition chain 
algorithms given in Chapter 2, we replace the exponentiation operation by a series of square 
and multiplication operations modulo n. This is where the Montgomery product operation 
finds its best use. In the following we summarize the modular exponentiation operation which 
makes use of the Montgomery product function MonPro. The exponentiation algorithm uses 
the binary method. 

function ModExp(A/, e, n) { n is an odd number } 

Step 1. Compute n'< using the extended Euclidean algorithm. 

Step 2. M := M . r mod n 

Step 3. x := 1 ■ r mod n 

Step 4. for i = k - 1 down to 0 do 

Step 5. x := MonPro(x.x) 

Step 6. if e, = 1 then x := MonPro(A/,x) 

Step 7. x := MonPro(x, 1) 

Step 8. return x 

Thus, we start with the ordinary residue M and obtain its n-residue M using a division- 
like operation, which can be achieved, for example, by a series of shift and subtract oper- 
ations. Additionally, Steps 2 and 3 require divisions. However, once the preprocessing has 
been completed, the inner-loop of the binary exponentiation method uses the Montgomery 
product operations which performs only multiplications modulo 2 k and divisions by 2*. When 
the binary method finishes, we obtain the n-residue x of the quantity x = M e mod n. The 
ordinary residue number is obtained from the n-residue by executing the MonPro function 
with arguments x and 1. This is easily shown to be correct since 

x = x - r mod n 

immediately implies that 

x = x • r" 1 mod n = x • 1 * r" 1 mod n := MonPro(x 7 1) . 

The resulting algorithm is quite fast as was demonstrated by many researchers and engi- 
neers who have implemented it, for example, see [10, 30]. However, this algorithm can be * 
refined and made more efficient, particularly when the numbers involved are multi-precision 
integers. For example, Dusse and Kaliski [10] gave improved algorithms, including a simple 
and efficient method for computing n\ Wc wil describe these methods in Section 4.2. 

3.8.2 An Example of Exponentiation 

Here we show how to compute x = 7 10 mod 13 using the Montgomery exponentiation algo- 
rithm. 



Modular Multiplication 49 

• Since n = 13, we take r = 2 4 = 16 > a. 

• Computation of n': 

Using the extended Euclidean algorithm, we determine that 16 • 9 — 13 ■ 11 — 1, thus, 
r~ l = 9 and n' = 11. 

• Computation of A/: \ 

Since M = 7, wc have M := M • r (mod n) = 7 • 16 (mod 13) = 8. 

• Computation of x for x = 1: 

We have x := x ■ r (mod n) = 1 ■ 16 (mod 13) — 3. 

• Steps 5 and 6 of the ModExp routine: 



fii 


Step 5 


Step 6 


1 


MonPro(3, 3) 


= 3 


MonPro(8,3) = 8 


0 


MonPro(8, 8) 


= 4 




1 


MonPro(4, 4) 


= 1 


MonPro(8, 1) = 7 


0 


MonPro(7, 7) 


= 12 





o Computation of MonPro(3, 3) = 3: 
it := 3 • 3 = 9 

m := 9 • 11 (mod 16) = 3 

u := (9 + 3-13)/l6 = 48/16 = 3 

o Computation of MonPro(8, 8) = 4: 
t := 8 • 8 = 64 

m:=64-ll (mod 16) = 0 
u:= (64 + 0- 13)/16 = 64/16 = 4 

o Computation of MonPro(8, 1) = 7: 
t := 8- 1 = 8 

m:=8-ll (mod 16) = 8 

u := (8 + 8 • 13)/16 = 112/16 = 7 



o Computation of MonPro(8, 3) = 8: 
t := 8 • 3 = 24 
m := 24 • 11 (mod 16) = 8 
u := (24 + 8 • 13)/16 = 128/16 = 8 

o Computation of MonPro(4, 4) = 1: 
i:=4-4 = 16 

m := 16 • 11 (mod 16) = 0 
«:= (16 + 0- 13)/16 = 16/16 = 1 

o Computation of MonPro(7, 7) = 12: 
t := 7 • 7 = 49 

m := 49 • 11 (mod 16) = 11 

u := (49 + 11 • 13)/16 = 192/16 = 12 



Step 7 of the ModExp routine: i = MonPro(12, 1) = 4 

t:= 12 - 1 = 12 

m:=12 11 (mod 16) = 4 

u := (12 + 4 • 13)/16 = 64/16 = 4 



Thus, we obtain x = 4 as the result of the operation 7 10 mod 13. 
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3.8.3 The Case of Even Modulus 

Since the existence of r~ l and n' requires that n and r be relatively prime, we cannot use 
the Montgomery product algorithm when this rule is not satisfied. We take r = 2* since 
arithmetic operations are based on binary arithmetic modulo 2 W where w is the word-size 
of the computer. In case of single-precision integers, we take k = w. However, when the 
numbers are large, we choose k to be an integer multiple of w. Since r = 2 fc , the Montgomery 
modular exponentiation algorithm requires that 

gcd(r,n) = gcd(2*,n) = 1 

which is satisfied if and only if n is odd. We now describe a simple technique [22] which can 
be used whenever one needs to compute modular exponentiation with respect to an even 
modulus. Let n be factored such that 

n = q • 2 j 

where g is an odd integer. This can easily be accomplished by shifting the even number n to 
the right until its least-significant bit becomes one. Then, by the application of the Chinese 
remainder theorem, the computation of 

x — a 6 mod n 

is broken into two independent parts such that 

X! = a e mod q , 
X2 = a e mod 2 j . 

The final result x has the property 

x = x\ mod q , 
x = x 2 mod 2? t 

and can be found using one of the Chinese remainder algorithms: The single-radix conversion 
algorithm or the mixed-radix conversion algorithm [49, 19, 31]. The computation ofx\ can be 
performed using the ModExp algorithm since q is odd. Meanwhile the computation of X2 can 
be performed even more easily since it involves arithmetic modulo 2K There is however some 
overhead involved due to the introduction of the Chinese remainder theorem. According to 
the mixed-radix conversion algorithm, the number whose residues are X\ and x 2 modulo q 
and 2 ; , respectively, is equal to 

x = x x +q-y 

where 

y = (r 2 - x{) • q~ l mod 2 J . 

The inverse q~ l mod 2 j exists since q is odd. It can be computed using the simple algorithm 
given in Section 4.2. We thus have the following algorithm: 



Modular Multiplication 



51 



function EvenModExp(a t e, n) { n is an even number } 

1. Shift n to the right obtain the factorization n = q • 2 j . 

2. Compute xi a* mod q using ModExp routine above. 

3. Compute x 2 := a c mod 2 J using the binary method and modulo 2 J arithmetic. 

4. Compute q~ l mod 2 j and y := (x 2 - Xi) • q~ l mod 2 J . 

5. Compute x := x x + 7 * y and return x. 



3,8.4 An Example of Even Modulus Case 

The computation of a e mod n for a = 375, e = 249, and n — 388 is illustrated below. 

Step 1. n = 388 = (110000100) 2 = (11000001) 2 x 2 2 = 97 x 2 2 . Thus, q = 97 and j = 2. 

Step 2. Compute x x = a c mod 7 by calling ModExp with parameters a = 375, e = 249, 
and q = 97. We must remark, however, that we can reduce a and e modulo 9 and 
respectively. The latter is possible if we know the factorization of g. Such knowledge is 
not necessary but would further decrease the computation time of the ModExp routine. 
Assuming we do not know the factorization of we only reduce a to obtain 

a mod q = 375 mod 97 — 84 

and call the ModExp routine with parameters (84, 249, 97). Since q is odd, the ModExp 
routine successfully computes the result as Xi = 78. 

Step 3. Compute x 2 = a e mod 2 j by calling an exponentiation routine based on the binary 
method and modulo 2 j arithmetic. Before calling such routine we should reduce the 
parameters as 

a mod 2 J = 375 mod 4=3 
e mod (j>(2 j ) = 249 mod 2 = 1 

In this case, we are able to reduce the exponent since we know that <f>[2 j ) = 2 7 " 1 . 
Thus, we call the exponentiation routine with the parameters (3,1,4). The routine 
computes the result as x 2 = 3. 

Step 4. Using the extended Euclidean algorithm, compute 

$- l mod2 i = 97- 1 mod4=l - 

Now compute 

y = (x 2 ~ - q~ l mod 2 J 
= (3 - 78) -1 mod 4 
= 1 . 



Step 5. Compute and return the final result 

x = X! + q • y = 78 + 97 • 1 = 175 
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Further Improvements and 
Performance Analysis 

4.1 Fast Decryption using the CRT 

The RSA decryption and signing operation, i.e.. given C, the computation of 

M := C d (mod n) , 

can be performed faster using the Chinese remainder theorem (CRT) since the user knows 
the factors of the modulus: n = p-q. This method was proposed by Quisquater and Couvreur 
[37], and is based on the Chinese remainder theorem, another number theory gem, like the 
binary method, coming to us from antiquity. Let p { for i = 1, 2, . . . , k be pairwise relatively 
prime integers, i.e., 

gcd(p t! p J ) = 1 for i # j . 

Given u % e [Q,p z - 1] for i = 1,2,. the Chinese remainder theorem states that there 
exists a unique integer u in the range [0, P - 1] where P = p x p 2 -Pk such that 

u — u x (mod pi) . 

The Chinese remainder theorem tells us that the computation of 

M := C d (mod p • q) , 

can be broken into two parts as 

M x : = C rf (modp) , 
M 2 := C d (mod 9) , 

after which the final value of M is computed (lifted) by the application of a Chinese remainder 
algorithm. There are two algorithms for this computation; The single-radix conversion 
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(SRC) algorithm and the mixed-radix conversion (MRC) algorithm. Here, we briefly describe 
these algorithms, details of which can be found in [14, 49, 19, 31]. Going back to the general 
example, we observe that the SRC or the MRC algorithm computes u given U\, u 2 , . . . ,u k 
and Pi,P2, . . . : Pk- The SRC algorithm computes u using the summation 

k 

u = Y^^iCtPt (mod P) , 

where 

_ P 

Pi = PlP2 " * 'Pt-lPi+l • -Pk - — i 

Pi 

and Ci is the multiplicative inverse of Pi modulo p;, i.e., 

dP t = 1 (mod p^ . 

Thus, applying the SRC algorithm to the RSA decryption, we first compute 

M x := C d (modp) , 
M 2 := C d (mod q) , 

However, applying Fermat's theorem to the exponents, we only need to compute 

M t := C dl (modp) , 

A/ 2 := C d2 (mod q) , 

where 

d { :— d mod (p - 1) , 

d 2 := d mod (7 - 1) . 

This provides some savings since d {l d 2 < d\ in fact, the sizes of d\ and d 2 are about half of 
the size of d. Proceeding with the SRC algorithm, we compute M using the sum 

M = M[Ci — + M 2 c 2 — (mod n) = M^q + M 2 c 2 p (mod n) , 
P <7 

where c\ = g" 1 (mod p) and C2 = p _1 (mod q). This gives 

M == Mi(q~ l mod p)# + A'^Cp" 1 m °d q)p (mod n) . 

In order to prove this, we simply show that 

M (mod p) = M L • 1 + 0 = Mi , 
A/ (mod 9) = 0 + M 2 • 1 = M 3 . 
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The MRC algorithm, on the other hand, computes the final number u by first computing 
a triangular table of values: 

u n 

"21 1*22 

•"31 ^32 ^33 

where the first column of the values u a are the given values of i-e M u x i = tt,. The values in 
the remaining columns are computed sequentially using the values from the previous column 
according to the recursion 

Uij- +l = {uij - uj^Cji (mod pi) , 
where Cji is the multiplicative inverse of pj modulo p*, i.e., 

CjiPj = 1 (mod p £ ) . 

For example, u 32 is computed as 

u-si = (u 3 i - «u)ci3 (mod p 3 ) , 

where C13 is the inverse of pi modulo p 3 . The final value of u is computed using the summation 

u — un + u 2 2Pi + U33P1P2 H 1- U k kP\p2 ' - - Pit- 1 

which does not require a final modulo P reduction. Applying the MRC algorithm to the 
RSA decryption, we first compute 

Mi := C dl (mod p) , 
M 2 := C da (mod q) , 

where cf x and d 2 are the same as before. The triangular table in this case is rather small, 
and consists of 

M u 

M 21 M22 

where M n = Mi, M 2 \ = M 2 , and 

M22 = (M21 — M n )(p~ l mod q) (mod q) . 
Therefore, M is computed using 

M := Mi + [(M 2 - Mi) • (p" 1 mod 7) mod q) - p . 
This expression is correct since 

M (mod p) = Mi + 0 = M x , 
M (mod 9 ) = Mi + (A/ 2 ~ * 1 = M 2 ■ 
The MRC algorithm is more advantageous than the SRC algorithm for two reasons: 
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• It requires a single inverse computation: p~ L mod q. 

• It does not require the final modulo n reduction. 

The inverse value (p" 1 mod q) can be precomputed and saved. Here, we note that the order 
of p and q in the summation in the proposed public-key cryptography standard PKCS # 1 
is the reverse of our notation. The data structure [43] holding the values of user's private 
key has the variables: 

exponentl INTEGER, — d mod (p-1) 
exponent^ INTEGER, — d mod (q-1) 
coefficient INTEGER, ~ (inverse of q) mod p 

Thus, it uses (g _1 mod p) instead of (p' 1 mod q). Let Mi and M 2 be defined as before. By 
reversing p, q and M Xl M 2 in the summation, we obtain 

M := M 2 + [{M x - M 2 ) ■ (q~ l mod p) mod p] • q . 

This summation is also correct since 

M (mod q) = A/ 2 +0 = M 2 , 

M (mod p) = M 2 + (Mi - M 2 ) • 1 = M x , 

as required. Assuming p and q are (A;/2)-bit binary numbers, and d is as large as n which 
is a A-bit integer, we now calculate the total number of bit operations for the RSA decryp- 
tion using the MRC algorithm. Assuming d u d 2l (p' x mod q) are precomputed, and that 
the exponentiation algorithm is the binary method, we calculate the required number of 
multiplications as 

• Computation of M x : §(A:/2) (fc/2)-bit multiplications. 

• Computation of M 2 : §(Ar/2) (fc/2)-bit multiplications. 

• Computation of M: One (&/2)-bit subtraction, two (fc/2)-bit multiplications, and one 
A:-bit addition. 

Also assuming multiplications are of order k 2 , and subtractions are of order k, we calculate 
the total number of bit operations as 

2^(V2) 2 + 2(V2) 2 + (fc/2) + A: = Z Jt + *1±B . 

On the other hand, the algorithm without the CRT would compute M = C d (mod n) di- 
rectly, using (3/2)A: A:-bit multiplications which require 3fc 3 /2 bit operations. Thus, consider- 
ing the high-order terms, we conclude that the CRT based algorithm will be approximately 
4 times faster. 
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4.2 Improving Montgomery's Method 

The Montgomery method uses the Montgomery multiplication algorithm in order to compute 
multiplications and squarings required during the exponentiation process. One drawback of 
the algorithm is that it requires the computation of n' which has the property 

r • r" 1 — n ■ n = I , 

where r = 2 k and the A;-bit number n is the RSA modulus. In this section, we show how to 
speed up the computation of n' within the MonPro routine. Our first observation is that we 
do not need the entire value of n f . We repeat the MonPro routine from Section 3.8 in order 
to explain this observation: 

function MonPro(d,6) 
Step 1. t := a • 5 
Step 2. m := t • n' mod r 
Step 3. u := (t + m • n)/r 
Step 4. if u > n then return u - n 
else return u 

The multiplication of these multi-precision numbers are performed by breaking them into 
words, as shown in Section 3.2. Let w be the wordsize of the computer. Then, these large 
numbers can be thought of integers represented in radix W = 2 U . Assuming, these numbers 
require 5 words in their radix W representation, we can take r = 2 3v) . The multiplication 
routine, then, accomplishes its task by computing a series of inner-product operations. For 
example, the multiplication of a and h in Step 1 is performed using: 

1. for i = 0 to s — 1 

2. C:=0 

3. for j = 0 to 5 - 1 

4. (C,S) :=* l+i + a i -6 t + C 

5. £t+j *" ^ 

6. t{+ s := C 

When a = £>, we can use the squaring algorithm given in Section 3.5. This will provide 
about 50 % savings in the time spent in Step 1 of the MonPro routine. The final value 
obtained is the 2s-precision integer (£25-1^-2 * ■ *^o)- The computation of m and u in Steps 
2 and 3 of the MonPro routine can be interleaved. We first take u = £, and then add m-n to it 
using the standard multiplication routine, and finally divide it by 2 SW which is accomplished 
using a shift operation (or, we just ignore the lower sw bits of u). Since m = t-n ! mod r and 
the interleaving process proceeds word by word, we can use n f Q = n' mod 2 W instead of n\ 
This observation was made by Dusse and Kaliski [10], and used in their RSA implementation 
for the Motorola DSP 56000, 

Thus, after t is computed by multiplying a and b using the above code, we proceed with 
the following code which updates t in order to compute t + m.-n. 
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7. for i = 0 to s - 1 

8. C:=0 

9. m := t z • n' Q mod 2 W 

10. for j = 0 to s - 1 

11. (C, 5) := t i+J + m ■ n ; + C 

12. t i+J := 5 

13. -for j = i + 5 to 25 - 1 

14. (C, 5) := t, + C 

15. ^ := 5 

16. t 2s := C 

In Step 9, we multiply t{ by n{, modulo 2™ to compute m. This value of m is then used 
in the inner-product step. Steps 13, 14, and 15 are needed to take of the carry propagating 
to the last word of t. We did not need these steps in multiplying a and b (Steps 1-6) since 
the initial value of t was zero. In Step 16, we save the last carry out of the operation in Step 
14. Thus, the length of the variable t becomes 2s + 1 due to this carry. After Step 16, we 
divide t by r, i.e., simply ignore the lower half of t. The resulting value is u which is then 
compared to n; if it is larger than n, we subtract n from it and return this value. These 
steps of the MonPro routine are given below: 

17. for j = 0 to s 

18. u 3 := t J+s 

19. 5 = 0 

20. for j = 0 to 5 

21. (B,D) := Uj ~n 3 ~B 

22. Vj := D 

23. if B — 0 then return (v s -\V s -2 * * • ^o) 

else return (u 5 _iu 5 -2 ■ • ■ ^o) 

Thus, we have greatly simplified the MonPro routine by avoiding the full computation of 
n', and by using only single-precision multiplication to multiply t and n'. In the following, we 
will give an efficient algorithm for computing n' Q . However, before that, we give an example in 
which the computations performed in the MonPro routine are summarized. In this example, 
we will use decimal arithmetic for simplicity of the illustration. Let n = 311 and r = 1000. 
It is easy to show that the inverse of r is 

r~ l — 65 (mod n) , 

and also that 

, vr- l -l 1000*65 - 1 nnn 
n ° 311 = 2 " 9 ' 

and thus, n{, = 9. We will compute the Montgomery product of 216 and 123, which is equal 
to 248 since 

MonPro(216, 123) = 216 • 123 • r~ l = 248 (mod n) . 
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The first step of the algorithm is to compute the product 216 ■ 123, accomplished in Steps 
1-6. The initial value of t is zero, i.e., t = 000 000. 
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026 568 



Then, we execute Steps 7 through 16, in order to compute (t + m • n) using the value of 
n' 0 = 9. The initial value of t = 026 568 comes from the previous step. Steps 7 through 16 
are illustrated below: 
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After Step 15, we divide t by r by shifting it s words to the right. Thus, we obtain the 
value of u as 248. Then, subtraction is performed to check if u > n; if it is, u — n is returned 
as the final product value. Since in our example 248 < 311, we return 248 as the result of 
the routine MonPro(126, 123), which is the correct value. 

As we have pointed out earlier, there is an efficient algorithm for computing the single 
precision integer n' Q . The computation of n' Q can be performed by a specialized Euclidean 
algorithm instead of the general extended Euclidean algorithm. Since r — 2 3W and 
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we take modulo 2 W of the both sides, and obtain 

-n • n' = 1 (mod 2") , 

or. in other words, 

= -n^ 1 (mod 2 W ) , 

where n' Q and 1 arc the least significant words (the least significant w bits) of n' and n" 1 , 
respectively. In order to Compute -n^ 1 (mod 2 W ), wc use the algorithm given below which 
computes x" 1 (mod 2 W ) for a given odd x. 

function ModInvcrse(x. 2") { x is odd } 

1- Vi:=l 

2. for i = 2 to u> 

3. if 2*~ l <x-y t _! (mod 2 { ) 

then y t := y t _ x 4- 2'" 1 
else j/i := 2/ £ _i 

4. return y w 

The correctness of the algorithm follows from the observation that, at every step 2, we have 

x • y 4 = 1 (mod 2 l ) . 

This algorithm is very efficient, and uses single precision addition and multiplications in order 
to compute r" 1 . As an example, we compute 23" 1 (mod 64) using the above algorithm. 
Here we have x — 23, w — 6. The steps of the algorithm, the temporary values, and the 
final inverse are shown below: 
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Thus, we compute 23" 1 = 39 (mod 64). This is indeed the correct value since 

23 • 39 = 14 • 64 + 1 = 1 (mod 64) . 
Also, at every step i, we have x ■ y % = 1 (mod 2*), as shown below: 



i 


x • 


Ui mod 2' 


1 


23 


•1 = 1 mod 2 


2 


23 


■3=1 mod 4 


3 


23 


•7=1 mod 8 


4 


23 


•7=1 mod 16 


5 


23 


•7=1 mod 32 


6 


23 


• 39 = 1 mod 64 
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4.3 Performance Analysis 

In this section, we give timing analyses of the RSA encryption and decryption operations 
This analysis can be used to estimate the performance of the RSA encryption and decryption 
operations on a given computer system. The analysis is based on the following assumptions. 

Algorithmic Issues: 

1. The exponentiation algorithm is the binary method. 

2. The Montgomery reduction algorithm is used for the modular multiplications. 

3. The improvements on the Montgomery method are taken into account. 
Data Size: 

1. The size of n is equal to s words. 

2. The sizes of p and q are s/2 words. 

3. The sizes of M and C are s words. 

4. The size of e is k t bits. 

5. The Hamming weight of e is equal to h ei where 1 < h e < Jk e . 

6. The size of d is k d bits. 

7. The Hamming weight of d is equal to h d , where 1 < h d < k d . 
Precomputed Values: 

1. The private exponents d x and d 2 are precomputed and available. 

2. The coefficient (p~ l mod q) or (<7 _1 modp) is precomputed and available. 
Computer Platform: 

1. The wordsize of the computer is w bits. 

2. The addition of two single-precision integers requires A cycles. 

3. The multiplication of two single-precision integers requires P cycles. 

4. The inner-product operation requires 2A + P cycles. 

In the following sections, we will analyze the performance of the RSA encryption and 
decryptions operations separately based on the preceding assumptions. 
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4.3.1 RSA Encryption 

The encryption operation using the Montgomery product first computes n' Q , which requires 

jr(P + A) = (w-l)(P + A) (4.1) 

cycles. It then proceeds- to compute M = M - r (mod n) and C = 1 ■ r (mod n). The 
computation of M requires sw s-precision subtractions. The computation of C, on the other 
hand, may require up to w s-precision subtractions. Thus, these operations together require 

sw(sA) + w(sA) = (s 2 4- s)^A (4.2) 

cycles. We then start the exponentiation algorithm which requires (k e - 1) Montgomery 
square and (h e - 1) Montgomery product operations. The Montgomery product operation 
first computes the product a • b which requires 

EEV + 2^) = 5 a (P + 2>l) 

i-0j=Q 

cycles. Then 3 Steps 7 through 15 are followed, requiring 



5-1 

£ 

t=0 



s-i 25-1 

p + Y,(P + 2A) + £ ^ 



= sP + s 2 (P 4- 2A) + ^±^A = (s 2 + s)P + 5fl+£, 



cycles. The 5-precision subtraction operation which is performed in Steps 18-21 requires a 
total of s single-precision subtractions. Thus, Steps 7 through 22 require a total of 

(,» + s )P + ¥+± A + sA = { * + S)P + '2£ + *L A 

Thus, we calculate the total number of cycles required by the Montgomery product routine 



as 



s\P + 2A) + (s 2 + s)P + 2f-±if ,4 = (2s 2 + S )P + 9 J-±*i A . (4.3) 

The Montgomery square routine uses the optimized squaring algorithm of Section 3.5 in 
order to compute a • a. This step requires 

cycles. The remainder of the Montgomery square algorithm is the same as the Montgomery 
product algorithm. Thus, the Montgomery square routine requires a total of 

£^(P + 2A) + (s , + 3)P+ 5£+l£ / , = 3 f ^ ip + Z£!±£ /1 (4 . 4) 
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cycles. The total number of cycles required by the RSA encryption operation is then found 
by adding the number of cycles for computing n' Q given by Equation (4.1), the number of 
cycles required by computing M and C given by Equation (4.2), (k e - 1) times the number 
of cycles required by the Montgomery square operation given by Equation (4.4), and (A e — 1) 
times the number cycles required by the Montgomery product operation given by Equation 
(4.3). The total number of cycles is found as 



Tiis.keJt^w.P.A) = {w-l)(P + A) + {s 2 + s)wA+{k e -i) 



3s 2 + s n Is 2 + s ' 

r P+ z A 



(4.5) 



4.3.2 RSA Decryption without the CRT 

The RSA decryption operation without the Chinese remainder theorem by disregarding the 
knowledge of the factors of the user's modulus is the same operation as the RSA encryption. 
Thus, the total number of cycles required by the RSA decryption operation is the same as 
the one given in Equation (4.5), except that k € and h e are replaced by k d and h dl respectively. 



Ti(s,k dl h d ,w,P,A) = {w-l){P + A) + (s 2 + s)wA + (k d ~l) 

+ \(2s 2 + s)P+ 9s2 + 33 A 



3s 2 + 5 _ 7s 2 + s " 
— ^ — P H ~ — A 



(4.6) 



4.3.3 RSA Decryption with the CRT 

The RSA decryption operation using the Chinese remainder theorem first computes Mi and 
iV/ 2 using 

M x := C dl (mod p) , 
M 2 := C d2 (mod q) . 

The computation of M\ is equivalent to the RSA encryption with the exponent rf x and 
modulus p. Assuming the number of words required to represent p is equal to 5/2, we find 
the number of cycles required in computing M\ as 

Ti(-,k dlJ h dl ,w t P 7 A) t 

where k dl and h dl is the bit size and Hamming weight of d u respectively. Similarly the 
computation of iV/ 2 requires 

Tii-.k^.h^.w.P.A) 
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cycles. Then, the mixed-radix conversion algorithm computes M using 

M := A/ t + (M 2 - AI\) • {p~ l mod q) • p , 

which requires one s/2-precision subtraction, two s-precision multiplications, and one s- 
precision addition. This requires a total of 

|.4 + 2s 2 {P + 2.4) + s.4 = 2s' P + (4s 2 + y )A 

cycles assuming the coefficient mod g) is available. Therefore, we compute the total 
number of cycles required by the RSA decryption operation with the CRT as 

T 2 (s : k dl , h dl , k d21 h d2 ,w, P, A) = T^, * rfl , /i dl , u/, P, A) 4- 7\(|, Ar d2J /i d2) u/, P, A) 

35, 



+ 2s 2 P + (4s 2 + —)A . 



(4.7) 



4,3.4 Simplified Analysis 

In this section, we will consider three cases in order to simplify the performance analysis of 
the RSA encryption and decryption operations. 

Short Exponent RSA Encryption: We will take the public exponent as e = 2 16 + 1. 
.Thus, k e = 17 and h e = 2. This gives the total number of cycles as 



T es (s y w,P,A) = 



12L4 



Aw + 26P + 



+ {w-l){P + A) . 



5 2 + 



Aw + 9P + 



19/1 



(4.8) 



Long Exponent RSA Encryption: We will assume that the public exponent has exactly 
k bits (i.e., the number of bits in n), and its Hamming weight is equal to k/2. Thus, 
k e = k = sw and h e = k/2 = sw/2. This case is also equivalent to the RSA decryption 
without the CRT in terms of the number of cycles required to perform the operation. 
This gives the total number of cycles as 



T el (s,w,P,A) = 



bPw 23Aw 
— — + 



+ 



4 
3P 

Aw- — - 2A 
2 



9Aw IP 

Pw + — — - 8/1 

4 2 



s 2 + 



s + (w-l){P + A) 



(4.9) 



RSA Decryption with CRT: The number of bits and the Hamming weights of d x and d 2 
are assumed to be given as k dl = k dl = k/2 = sw/2 and h dl = h d2 = Jfc/4 = siu/4. 
Since Ar dl = k d2 and = h d2 , we have 

T*(*, P, A) = 27^-, S -^, S -^,w, P, A) + 2 5 2 /? + (4s 2 4- |)A . 
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Substituting k dl = sw/2 and h. d , = sw/4, we obtain 
T dl (s,w,P,A) = 



\5Pw 23Aw 
+ 



16 J 



•s 3 + 



(Pw 9 Aw P 
2- + -8" + Ij 



s 2 + 



I . 3P A 
+ \Aw - — - — 
2 2 



s + 2(u/ - 1)(P + A) 



(4.10) 



4.3.5 An Example 

In a given computer implementation, the values of w. P, and A are fixed. Thus, the number 
of cycles required is a function of s, i.e., the word-length of the modulus. In this section, 
we will apply the above analysis to the Analog Devices Signal Processor ADSP 2105. This 
signal processor has a data path of w = 16 bits, and runs with a clock speed of 10 MHz. 
Furthermore, examining the arithmetic instructions, we have determined that the ADSP 
2105 signal processor adds or multiplies two single-precision numbers in a single clock cycle. 
Considering the read and write times, we take A = 3 and P = 3. The simplified expressions 
for T es , T el , and T dl are given below: 



T e3 



615 2 207 

s 2 + — s + 90 , 



2 

396s 3 



243 2 75 nn 
— s 2 + — s + 90 , 

315 

99s J + — s 2 + 425 + 180 . 
4 



Using the clock cycle time of the ADSP 2105 as 100 ns, we tabulate the encryption and 
decryption times for the values of k = 128, 256, 384, . . . , 1024, corresponding to the values of 
s = 8. 16, 24, ... , 64, respectively. The following table summarizes the times (in milliseconds) 
of the short exponent RSA encryption (T es ), the long exponent RSA encryption (T e( ), and 
the RSA decryption with the CRT (T«u). 



k 






T dl 


128 


3 


21 


6 


256 


: 8 


165 


43 


384 


18 


555 


142 


512 


32 


1,310 


333 


640 


; so 


2,554 


646 


768 


71 


4,408 


1,113 


896 


97 


6,993 


1,764 


1024 


127 


10,431 


2,628 



Our experiments with the ADSP simulator validated these estimated values. However, we 
note that the values of P and A must be carefully determined for a reliable estimation of 
the timings of the RSA encryption and decryption operations.- 
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I. Introduction 

The era of "electronic mail" [10] may soon be upon 
us ™ e must ensure that two important property of 
Se Current "paper mail" system are preserved: (a) 

Sedges «- ^™r b SdT=i 

Wc demonstrate in this paper now w « 

vemed b/DiS?ttd Hellman [1]. Their article moti- 
vated oS research, since they presented the concept 
bu^not any poetical implementation of such a system. 
Readers familiar with [1] may wish to skip directly to 
Section V for a description of our method. 



IX. Public-Key Cryptosystems 



In a "public-key cryptosystem " «^_ uS « P la " s * 
a public file an encryption procedure E. That is tbe 
J$cO* is a directory giving the encrypuon jpjoce- 
Sure of each user. The user keeps secret ^ > de ttdr of 
his corresponding decryption procedure D These pro- 
cedures have the following four properties: 
(a) Deciphering the enciphered form of a message M 
yields M. Formally, 



D(E(M)) = M. 



(1) 




(b) Both E and D are easy to compute. 

(C ) By publicly revealing E tbe user does not reveal an 
easywaytocomputeD.Thismeansthaunpracoce 

only he can decrypt messages encrypted with E. or 
compute D efficiently, 
(d) ^ message M is first deciphered ar,d then ena- 
phered, M is the result. Formally, 

(2) 

E(D(M))=M. 

An encryption (or decryption) procedure typically 
consists of * general method and an encryption key. The 
TenerS method, under control of the key encipher^ 
message M to obtain the enaphered form of the 
metsage called the ciphertext C. Everyone can use the 
SmeTneralmethodr the security of a given procedure 
wiU rest on the security of the * n 
encryption algorithm then means revealing the key 

Then the user reveals E he reveals a very meffavu 
method of computing D(C): 

saees M until one such that E(M) - C is found, u 
property (c) is satisfied the number of such messages to 
test will be so large that this approach is impractical. 

A function E satisfying (a)-(c) « a y**£*£» 
way function;" if it also satisfies (d) it is a "trapdoor 
one-vTv ^^permutation." Diffie and Bemoan [1] 
duced the concept of trap-door one-way fooeiions but 
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did not present any examples. These functions are 
called "one-wajj" because they are easy to compute in 
one direction bdt (apparently) very difficult to compute 
in the other direction.' They are called "trap-door" 
functions since jjhe inverse functions are in fact easy to 
compute once certain private "trap-door" information 
is known. A txjap-door one-way function which also 
satisfies (d) must be a permutation: every message is 
the ciphenext for some other message and every ci- 
phertext is itseli a permissible message. (The mapping 
is "one-to-one") and "onto")- Property (d) is needed 
only to implement "signatures 1 ' . 

The reader is encouraged to read Diffie and Hell- 
man's excellent; article [1] for further background, for 
elaboration of the concept of a public-key cryptosys- 
tem, and for a discussion of other problems in the area 
of cryptography. The ways in which a public-key cryp- 
tosystem can ensure privacy and enable "signatures" 
(described in Sections 311 and IV below) are also due 
to Diffie and fifeHman. 

For our scenarios we suppose that A and B (also 
known as Alice jand Bob) are two users of a public-key 
cryptosystem, V/e will distinguish their encryption and 
decryption procedures with subscripts: E A) D A , Eb > D& . 

i 

HI- Privacy ! 

Encryption^ the standard means of rendering a 
communication ; private. The sender enciphers each 
message before! transmitting it to the receiver. The 
receiver (but no unauthorized person) knows the ap- 
propriate deciphering function to apply to the received 
message to obta|in the original message. An eavesdrop- 
per who hears) the transmitted message hears only 
"garbage" (the! ciphertext) which makes no sense to 
him since he dojes not know how to decrypt it. 

The large volume of personal and sensitive infor- 
mation currently held in computerized data banks and 
transmitted over telephone lines makes encryption 
increasingly important. In recognition of the fact that 
efficient, high-quality encryption techniques are very 
much needed Bur are in short supply, the National 
Bureau of Standards has recently adopted a "Data 
Encryption Standard" {13, 14], developed at IBM. 
The new standard does not have property (c), needed 
to implement a;public-key cryptosystem. 

Ail classical encryption methods (including the NBS 
standard) suffer from the "key distribution problem." 
The problem isj that before a private communication 
can begin, another private transaction is necessary to 
distribute corresponding encryption and decryption 
keys to the sender and receiver, respectively. Typically 
a private courier is used to carry a key from the sender 
to the receiver.; Such a practice is not feasible if an 
electronic mail by stem is to be rapid and inexpensive. 
A public-key cryptosystem needs no private couriers; 
the keys can be; distributed over the insecure commu- 
nications channel. 

How can Bob send a private message M to Alice in 
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a public-key cryptosystem? First, he retrieves E^'froaT 
the public file. Then he sends her the enciphered 
message E A (M). Alice deciphers the message by com- 
puting D A (E A (M)) - M. By property (c) of the public- 
key cryptosystem only she can decipher E*(M). She 
can encipher a private response with Ee , also available 
in the public file. 

Observe that no private transactions between Alice 
and Bob are needed to establish private communica- 
tion. The only "setup" required is that each user who 
wishes to receive private communications must place 
his enciphering algorithm in the public file. 

Two users can also establish private communication 
over an insecure communications channel without con- 
sulting a public file. Each user sends his encryption key 
to the other. Afterwards all messages are enciphered 
with the encryption key of the recipient, as in the 
public-key system. An intruder listening in on the 
channel cannot decipher any messages, since it is mot 
possible to derive the decryption keys from the encryp- 
tion keys. (We assume that the intruder cannot modify 
or insert messages into the channel.) Ralph Merkle has 
developed another sotution (5] to this problem. 

A public-key cryptosystem can be used to "boot- 
strap" into a standard encryption scheme such as the 
NBS method. Once secure communications have been 
established, the first message transmitted can be a key 
to use in the NBS scheme to encode all following 
messages.. This may be desirable if encryption with our 
method is slower than with the standard scheme. CThe 
NBS scheme is probably somewhat faster if special- 
purpose hardware encryption devices are used; our 
scheme may be faster on a general-purpose computer 
since multiprecision arithmetic operations are simpler 
to implement than complicated bit manipulations.) 



IY. Signatures ^ 

If electronic mail systems are to replace the existing 
paper mail system for business transactions, "signing*' 
an electronic message must be possible. The recipient 
of a signed message has proof that the message origi- 
nated from the sender. This quality is stronger than 
mere authentication (where the recipient can verify 
that the message came from the sender); the recipient 
can convince a "judge" that the signer scat the mes- 
sage. To do so, he must convince the judge that he did 
not forge the signed message himself! In an authenti- 
cation problem the recipient does not worry abou* this 
possibility, since he only waots to satisfy himself that 
the message came from the sender. 

An electronic signature must be meswg«-depend- 
ent, as well as-Hgner-dependent, Otherwise the recipi- 
ent could modify the message before showing the 
message-signature pair to a judge. Or he could attach 
the signature to any message whatsoever, since it is 
impossible to detect electronic "cutting and pasting." 

To implement signatures tue public-key crypcosyfr- 
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tern inust be Implemented %j*ifh trap-door one-way 
permutations (i*e-. ; have-properjty (d)), since the decryp- 
tion -algorithm will be applied to unenciphered mes- 
sages. | 

How can user Bob send Alice a "signed" message 
M in a public-key cryptosystem? He first computes his 
"signature" S for the message] M using Pb: 

S-Pb(M), j 
(Deciphering an unencipheredj message "makes sense" 
by property (d) of a public jkey cryptosystem: each 
message is the ciphertext for some other message.) He 
then encrypts S using E A (fori privacy), and sends the 
result E A (5) to Alice. He nedd not send M as well; it 
can be computed from S, j 

Alice first decrypts the cipfiertext with D A to obtain 
S. She knows who is the presumed sender of the 
signature (in this case, Bobj); this can be given if 
necessary in plain text auacbdd to S. She then extracts 
the message with the encryption procedure of the 
sender, in this case H& (available on the public file): 

Eb(S). j 

is-'- : 

Shejnow possesses a message-signature pair (M, S) 
wj^S properties similar to those of a signed paper 
document. | 

? £;Bob cannot later deny haying sent Alice this mes- 
sage, since no one else could have created S = Pb(M). 
Ai|ce can convince a "judge' j that Eb(S) = M, so she 
ha^proof that Bob signed the document. 

^Clearly Alice cannot modjify M to a different ver- 
sion M\ since then she would have to create the 
corresponding signature S' « jD^M') as well. 

^Therefore Alice has received a message "signed* * 
by'Bob, which she can "proved* that he sent, but which 
sr&jcannot modify. (Nor can slie forge his signature for 
a$# other message .) j 

"";^An electronic checking system could be based on a 
signature system such as the above. It is easy to imagine 
ar^lencryption device in your- home terminal allowing 
you to sign checks that get sfent by electronic mail to 
the payee. It would only be necessary to include a 
unique check number in each] check so that even if the 
payee copies the check the bank will only honor the 
first version it sees. j 

Another possibility arises jif encryption devices can 
be made fast enough:" it will be possible to have a 
telephone conversation in which every word spoken is 
signed by the encryption device before transmission. 

When encryption is used for signatures as above, it 
is important that the encryption device not be "wired 
in" between the terminal (or| computer) and the com- 
munications channel, since ajmessage may have to be 
successively enciphered with several keys. It is perhaps 
more natural to view the encryption device as a "hard- 
ware subroutine'* that can bei executed as needed. 

We have assumed above that each user can always 
access the public file reliably. In a "computer network** 
this might be difficult; an j "intruder" might forge 
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messages purporting to be from the public file. The 
user would like to be sure that he actually obtains the 
encryption procedure of his desired correspondent and 
not, say, the encryption procedure of the intruder. This 
danger disappears if the public file ''signs* 1 each mes- 
sage it sends to a user. The user can check the signature 
with the public file's encryption algorithm Epp. The 
problem of "looking up" E^ itself m the public file is 
avoided by giving each user a description of Epp when 
he first shows up (in person) to join the public-key 
cryptosystem and to deposit his public encryption pro- 
cedure. He then stores this description rather than ever 
looking it up again. The need for a courier between 
every pair of users has thus been replaced by the 
requirement for a single secure meeting between each 
user and the public-file manager when the user joins 
the system. Another solution is to give each user, when 
he signs up, a book (like a telephone directory) con- 
taining all the encryption keys of users in the system. 

V. Our Encryption and Encryption Methods 

To encrypt a message M with our method, using a 
public encryption key n) y proceed as follows. (Here 
e andn axe a pair of positive integers.) 

First, represent the message as an integer between 
0 and n — 1 . (Break a long message into a series of 
blocks, and represent each block as such an integer.) 
TJse any standard representation. The purpose here is 
not to encrypt the message but only to get it into the 
numeric form necessary for encryption. 

Then, encrypt the message by raising it to the^th 
power modulo n . That is, the result (the ciphertext C) 
is the remainder when is divided by n . 

To decrypt the ciphertext, raise it to another 
power d , again modulo n . The encryption and decryp- 
tion algorithms E and D are thus: 

C= E(M) s M< (mod* ), for a message M. 
D(C) « C (mod* ), for a ciphertext C. 

Note that encryption does not increase the sue of a 
message; both the message and the ciphertext are 
integers in the range 0 to n - 1. 

The encryption key is thus the pair of positive 
integers (e, n). Similarly , the decryption hey is the pair 
of positive integers (rf, n). Each user makes his encryp- 
tion key public, and keeps the corresponding decryp- 
tion key private. (These integers should properly be 
subscripted as in n At e A , and <f A , since each user has 
his own set. However, we will only consider a typical 
set, and will omit the subscripts.) 

How should you choose your encryption and de- 
cryption keys, if you want to use our method? 

You first compute?! as the product of two primes p 
and q : 

n= p *q. 4 . 

These primes are very large, "random" primes. Al- 

Communrcadoos February 1978 

of ^ Volume 2) 

tbe ACM Number 2 



though you will malcen; public, the factors p and? will 
be effectively hidden from everyone elie due to the 
enormous difficulty of factoring n . This also hides the 
way d can be derived from t . 

You then pick the integer d to be a large, random 
integer which is relatively prime to (p — 1) * (q — 1). 
That is, check that<f satisfies 

gedtf.O? - 1) *{g - i» - 1 

( n gcd T1 means "greatest common divisor"). 

The integer.* is finaUy computed fromp, q, andcf 
to be the "multiplicativje inverse" of d , modulo (p - 1) 
* (q - 1). Thus we have 

e * d s 1 (mod (p - 1) * (q - 1)). 

We prove in the next section that this guarantees 
that (1) and (2) hold, I i.e. that E and D are inverse 
permutations. Section [VTI shows how each of the 
above operations can be done efficiently. 

The aforementioned method should not be con- 
fused with the "exponentiation" technique presented 
by Diffie and Hellman fl] to solve the key distribution 
^problem . Their technique permits two users to deter- 
- : *ihine a key in common! to be used in a normal crypto- 
ygraphic system. It is nop based on a trap-door one-way 
^permutation- Pohlig and Hellman [8] study a scheme 
Related to ours, where (exponentiation is done modulo 
% prime number. ' 

: ?! Vl. Tbe Underlying Mathematics 

We demonstrate the correctness of the deciphering 
" e algorithm using an idehtity due to Euler and Ferrnat 
f [7J: for any integer (message) M which is relatively 
^prime ton, 

n l(modn). J (3) 

^jkere tpfa) is the Euler totient function giving the 

Cihumber of positive integers less than n which are 
Irrelatively prime to n . For prime numbers p , 

S'fyp) = p - 1. 

In our case, we have by elementary properties of the 
totient function [7]: ! 

<ffa) = v(p) * <f<q)> \ 

-<P-D*&-1) (4) 
= n-(p+q) + t 

Since d is relatively prime to^(n) f it has a multipli- 
cative inverse* in the ring of integers modulo tp(n) : 

€ +d a 1 (mod <p(n)). | (5) 

We now prove thajt equations (1) and (2) hold 
(that is, that deciphering works correctly if e zxidd are 
chosen as above). Now; 

D(E(M)) « (E(M))< - |(M«y s W'« (roodn) 
E(D(M)) s (D(M))* » XM*¥ - M*' tf (mod n) 

and ! 



hf^ w M*^"* 1 (modh) (for some integer* ). 

From (3) we see that for all M such that p does hot 
divide M 

M^ 1 * 1 (modp) 

and since (p — 1) divides <p(n) 

^P-^nm - M(modp). 

This is trivially true when M « O(modp), so that this 
equality actually holds for all M. Arguing similarly for 
q yields 

a M(mod^). 

Together these last two equations imply that for all M, 

Jvf * ss m*-***" s- M (mod n) . 

This implies (1) and (2) for all M> 0 is M < n. 
Therefore E and D are inverse permutations. (We 
thank Rich Schroeppel for suggesting the above im- 
proved version of the authors* previous proof.) 

VEL Algorithms 

To show that our method is practical » we describe 
an efficient algorithm for each required operation. 

A. How to Encrypt and Decrypt Efficiently 

Computing M f (mod n ) requires at most 2 * logfe) 
multiplications and 2 * log4(e) divisions using the 
following procedure (decryption can be performed 
similarly using d instead of e ): 

Step J. Let . . . e,e 9 be the binary representa- 
tion of^. 

Step 2. Set the variable C to 1. 

Step 3. Repeat steps 3a and 3b for i - k, k - 1, 

■ - • , 0: 

Step 3a. Set C to the remainder of C 3 when 
divided by n . 

Step 3b. If e t » 1, then set C to the remainder 
of C * M when divided by n . 
Step 4. Halt. Now C is the encrypted form of M. 

This procedure is called "exponentiation by . re- 
peated squaring and multiplication." This procedure is 
half as good as the best; more efficient procedures are 
known. Knuth [3] -studies this problem in detail. 

The fact that the enciphering and deciphering are 
identical leads to a simple implementation. {The whole 
operation can be implemented on a few special-purpose 
integrated circuit chips.) 

A high-speed computer can encrypt a 200-diglt 
message M in a few seconds; special-purpose hardware 
would be much faster. The encryption time per block 
increases no faster than the cube of the number of 
digits Inn. 

B. How to Find Large Prime Numbers 

Each user must (privately) choose two large ran- 
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dom prime numbers p and$ to create his own encryp- 
tion and decryption keys, "jliese numbers must be 
large so that it is not computationally feasible for 
anyone to factor n *» p * q .! (Remember that n , but 
not/7 or q , will be in the public file.) We recommend 
using 100-digit (decimal) prime numbers p and 3, so 
thatn has 200 digits. | 

To find a 100-digit "random" prime number, gen- 
erate (odd) 100-digit random numbers until a prime 
number is found. By the prirne number theorem [7], 
about (In W°*)J2 = 115 numbers will be tested before 
a prime is found. \ 

To test a large number b\ for primality we recom- 
mend the elegant "probabilistic* 1 algorithm due to 
Solovay and Strassen [12], It picks a random number 
a from. a uniform distribution on {1, ... ,6 — 1}, and 
tests whether j 



gcd(a, 6) = 1 and J(a , b) ~ <fif-™(mo& b) t 



(6) 



where J(a, b) is the Jacobi sypbol [7]. If b is prime (6) 
is always true, lib is composite (6) will be false with 
probability at least Va. If (6) holds for 100 randomly 
chosen values of a then b is almost certainly prime; 
the)f| is a (negligible) chance of one in 2 100 that b is 
cort^osite. Even if a composite were accidentally used 
inWni system, the receiver \frould probably detect this 
by&hoticing that decryption didn't work correctly. 
W|en b is odd, a s b , and -gco^a, b) *» 1 1 the Jacobi 
symbol J(a, b) has a value in {-1, 1} and can be 
efficiently computed by the program: 

J(«j|6) = it a = 1 then 1 else! 
I if a is even then J(a/2, b) * (-!)«*-"« 
M else J(Mmod a) t a) * (- 

Cfiffe computations of J(c, jb) and gcd(<x, 6) can be 
njfcely combined, too.) Note that this algorithm does 
/ipStest a number for primality by trying to factor it. 
QS&er efficient procedures for testing a large number 
f^primality^are given in (6-; 9, 11]. 
^To gain additional protection against sophisticated 
factoring algorithms, p andq should differ in length by 
a few digits, both (p - 1) ahd (q - 1) should contain 
large prime factors, and gcd(p - 1, q - 1) should be 
small. The latter condition is easily checked. 

To find a prime numberip such that (p - 1) has a 
large prime factor, generate a large random prime 
number u , then Ietp be the first prime in the sequence 
i * u + 1, for / = 2 f 4, 6, j . . . (This shouldn't take 
too long.) Additional security is provided by ensuring 
that {u - 1) also has a large prime factor. 

A high-speed computer! can determine in several 
seconds whether a 100-digitj number is prime, and can 
find the first prime after a given point in a minute or 
two. j 

Another approach to finding large prime numbers 
is to take a number of knowin factorization, add one to 
it, and test the result for primality. If a prime p is 
found ii is possible to prove that it really is prime by 
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using the factorization of p - 1 . We omit a discussion 
of this since the probabilistic method is adequate. 

C. How to Choose d 

It is very easy to choose a number d which is 
relatively prime to <p(n)* For example, any prime 
number greater than max(p, q) will do. It is important 
that d should be chosen from a large enough set so 
that a cryptanalyst cannot find it by direct search. 

D. How to Compute c from d and <f{n) 

To compute e , use the following variation of Eu- 
clid's algorithm for computing the greatest common 
divisor of <p{n) andrf. (See exercise 4.5.2.15 in [3].) 
Calculate gcd(<p(n), d) by computing a seriesxo,-*j, *z, 
. . . , where*© = <pW, *i - d 7 andx i+J s jci-^modje,), 
until an** equal to 0 is found. Then gcdCe 0 , *i) 1=3 • 
Compute for eachJCj numbers at and b t such that*, « 
a { » x 0 + b f * jc a • If x k -x » 1 then 6 M is the 
multiplicative inverse of*! (mod x 0 ). Since k will be 
less than 2 * log*(n) , this computation is very rapid. 

If e turns out to be less than log^n), start over by 
choosing another value of d. This guarantees that 
every encrypted message (except M = 0 or M * I) 
undergoes some "wrap-around'* (reduction modulon). 

vm. A Small Example 

Consider the case p ~ 47, q « 59, n = p * q = 47 
* 59 - 2773, and d = 157. Then <p(2773) ~ 46 * 58 « 
2668, and e can be computed as follows: 



x o- 2668, 
x,= 157, 
x s ~ 156, 

x 3 = 1, 



e 0= 1, 
ai-0, 

a 2 = 1 , 

a 3 - -1, 



i>o~0, 

b 2 = -16 (since 2668 

=157 *16 +156 ), 
b t = 17 (since 157 ~ 1 
*156 +1). 

Therefore e «= 17, the multiplicative inverse (mod 
2668) of d - 157, 

Wth n = 2773 we can encode two letters per 
block, substituting a two-digit number for each letter: 
blank <- 00, A - 01, B » 02, . . . , Z «- 26. Thus the 
message 

ITS ALL GREEX TO ME 

(Julius Caesar, I, ii, 288, paraphrased) is encoded: 

0920 1900 0112 1200 0718 

0505 1100 2015 0013 0500 

Since c - 10001 in binary, the first block (M - 920) 
is enciphered: 

M" s * UYYYY * M s 948 (mod 2773). 

The whole message is enciphered as: 

0948 2342 1084 1444 2663 
2390 0778 0774 0219 1655. 

The reader can check that deciphering works: 948 147 
= 920 (mod 2773), etc. 
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PC. Security of the Method: Cryptanalytic 

Approaches > 

I 

Since no techniques exist to prove that an encryp- 
tion scheme is secure, the only test available is to see 
whether anyone c£n think of a way to break it. The 
NBS standard was ^certified" this way; seventeen man- 
years at IBM were| spent fruitlessly trying to break that 
scheme. Once a triethod has successfully resisted such 
a concerted attack it may for practical purposes be 
considered secure -I (Actually there is some controversy 
concerning the security of the NBS method [2].) 

We show in the next sections that all the obvious 
approaches for breaking our system are at least as 
difficult as factoring n. While factoring large numbers 
is not provably difficult, it is a well-known problem 
that has been wojrked on for the last three hundred 
years by many i famous mathematicians. Fermat 
(16017-1665) and Legendre (1752-1833) developed 
factoring algorithms; some of today's more efficient 
algorithms are based on the work of Legendre. As we 
shall see in the nejxt section, however, no one has yet 
found an algorithm which can factor a 2G0-digit num- 
ber In a reasonably amount of time. We conclude that 
our system has already been partially "certified" by 
these previous efforts to find efficient factoring algo- 
rithms. 

In the following sections we consider ways a crypt- 
analyst might try ito determine the secret decryption 
key from the publicly revealed encryption key. We do 
not consider ways of protecting the decryption key 
from theft; the usual physical security methods should 
suffice. (For example, the encryption device could be 
a separate device which could also be used to generate 
the encryption azjtd decryption keys, smch that the 
decryption key is never printed out (even for its owner) 
but only used to decrypt messages. The device could 
erase the decryption key if it was tampered with.) 

A. Factoring /j 

Factoring n wojuld enable an enemy cryptanalyst to 
"break" our methjod. The factors of n enable him to 
compute <p(n) and thus d. Fortunately, factoring a 
number seems to [be much more difficult than deter- 
mining whether itjis prime or composite. 

A large number of factoring algorithms exist. Knuth 
[3, Section 4.5.4| gives an excellent presentation of 
many of them. Pollard [9] presents an algorithm which 
factors a number ri in time 0(n Xi *) . 

The fastest factoring algorithm known to the au- 
thors is due to Richard Schroeppel (unpublished); it 
can factorn in approximately 

exp(sqrt(ln(n) *>(in<rt)))) 

3- ^Art<ln<ln<rt))/ln(7t)) ; 

— O 13 ^^ 1 } ^<art<ln*«>/lTiClnfi*>» 

steps (here In denotes the natural logarithm function). 
Tabic I gives the* number of operations needed to 



Tabic l. 



Digi»* Number of operaitoas^ ^ Time 



50 


1.4 v 


10** 


3.0 hours 


75 


9.0 x 


10'- 


104 days 


too 


2,3 * 


10" 


74 years 




1.2 x 


10* 


3.3* x years 


300 


t.5 x 




4.9 x 10'* years 


500 


t.3 x 




4,2 x 10« years 



factor* with SchroeppeUs method, and the time re- 
quired if each operation uses one microsecond, for 
various lengths of the number n (in decimal digits): 

We recommend that n be about 200 digits long. 
Longer or shorter lengths can be used depending on 
the relative importance of encryption speed and secu- 
rity in the application at hand. An 80-digit* provides 
moderate security against an attack using current tech- 
nology; using 200 digits provides a margin of safety 
against future developments. This flexibility to choose 
a key-length (and thus a level of security) to suit a 
particular application is a feature not found in many of 
the previous encryption schemes (such as the NBS 
scheme). 

B. Computing y?{n) Without Factoring n 

If a cryptanalyst could compute <?(n) then he could 
break the system by computing <f as the multiplicative 
inverse of e modulo (using the procedure of 
Section VII D). 

We argue that this approach is no easier than 
factoring/i since it enables the cryptanalyst to easily 
factor n using <p( n ) - Tb* s approach to factoring n has 
not turned out to be practical. 1 

How cann be factored using <p(n)7 First, ip + q) is 
obtained from n and <p{n) = /i-(p+?) + l. Then 
(p - q) is the square root of (p + q)* - An. Finally, $ 
is half the difference of (p + q ) and (p - q). 

Therefore breaking our system by computing <p(n) 
is no easier than breaking our system by factoring n . 
(This is why n must be composite; <p(n) is trivial to 
compute if n is prime.) 

C. Determining d Without Factoring n or Computing 

Of course, d should be chosen from a large enough 
set so that a direct search for it is unfeasible. 

We argue that computing d is no easier for a 
cryptanalyst than factoring n , since once d is known n 
could be factored easily. This approach to factoring 
has also not turned out to be fruitful. 

A knowledge of d enables n to be factored as 
follows. Once a cryptanalyst knows d he can calculate 
e * d - 1, which is a multiple of <pfa) ■ Miller [6] has 
shown that n can be factored using any multiple of 
<p(n). Therefore if n is large a cryptanalyst should not 
be able to determined any easier than he can factors . 

A cryptanalyst may hope to find a d' which is 
equivalent to the d secretly held by a user of the 
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public-key cryptosystem. If such values d f were com- 
mon then a brute-force search could break the system. 
However, all such d' differ by the least common 
multiple of {p - 1) and (g\ - 1), and finding one 
enables n to be factored. (In|(3) and (5) t <p(n) can be 
replaced by km(p - 1, q - 1).) Finding any suchd' is 
therefore as difficult as factoring n . 

D. Computing D in Some Other Way 

Although this problem of "computing eth roots 
modulo n without factoring is not a well-known 
difficult problem like factoring, we feel reasonably 
confident that it is computationally intractable. It may 
be possible to prove that |any general method of 
breaking our scheme yields ajn efficient factoring algo- 
rithm. This would establish that any way of breaking 
our scheme must be as difficult as factoring. We have 
not been able to prove this conjecture , however. 

Our method should be! certified by having the 
above conjecture of intractability withstand a concerted 
attempt to disprove it. The reader is challenged to find 
a way to ''break" our method . 



X. voiding 
Message 



'Reblocking" when Encrypting a Signed 



' signed message may Wave to be "reblocked" for 
endrjption since the signature n may be larger than 
the|encry prion n (every user ha* his own*). This can 
be Voided as follows. A threshold value A is chosen 
(sapf.A — 10 lM ) for the publfc-key cryptosystem . Every 
userfnain tains two public (e\ In) pairs, one for encipher- 
ing" and one for signature-Jveriflcation, where every 
signature n is less than h , and every enciphering n is 
greater than/z. Reblockinglto encipher a signed mes- 
sages then unnecessary; the message is blocked ac- 
co^ng to the traosmitter'sjsignature*. 

J Another solution uses a technique given in [4]. 
E^fi user has a single (e f nj t pair where n is between h 
an]Jf2Ji , where A is a threshold as above. A message is 
encoded as a number less Ithan h and enciphered as 
before, except that if the ciphertext is greater than h , 
it is repeatedly re-enciphefed until it is less than h . 
Similarly for decryption tile ciphertext is repeatedly 
deciphered to obtain a valiie less thanJt. If n is near A 
re-enciphering will be infrequent. (Infinite looping is 
not possible, since at worst: a message is enciphered as 
itself.) ; 



XI. Conclusions i 

We have proposed a method for implementing a 
publickey cryptosystem whose security rests in part on 
the difficulty of factoring large numbers. If the security 
of our method proves to bej adequate, it permits secure 
communications to be established without the use of 
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couriers to carry keys, and it also permits one to "sign" 
digitized documents. 

The security of this system needs to be examined in 
more detail. In particular, the difficulty of factoring 
large numbers should be examined very closely. The 
reader is urged to find a way to "break" the system. 
Once the method has withstood all attacks for a 
sufficient length of time it may be used with a reasona- 
ble amount of confidence. 

Our encryption function is the only candidate for a 
"trap-door one-way permutation" known to the au- 
thors. It might be desirable to find other examples, to 
provide alternative implementations should the secu- 
rity of our system turn out someday to be inadequate. 
There are surely also many new applications to be 
discovered for these functions. 
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1. Scope 

This standard describes a method for encrypting data using the RSA public-key 
cryptosystem. Its intended use is in the construction of digital signatures and digital 
envelopes, as described in PKCS #7; 

• For digital signatures, the content to be signed is first reduced to a message 
digest with a message-digest algorithm (such as MD5), and then an octet 
string containing the message digest is encrypted with the RSA private key 
of the signer of the content. The content and the encrypted message digest 
are represented together according to the syntax in PKCS #7 to yield a 
digital signature. This application is compatible with Privacy-Enhanced 
Mail (PEM) methods. 

• For digital envelopes, the content to be enveloped is first encrypted under 
a content-encryption key with a content-encryption algorithm (such as 
DES), and then the content-encryption key is encrypted with the RSA 
public keys of the recipients of the content. The encrypted content and the 
encrypted content-encryption key are represented together according to the 
syntax in PKCS #7 to yield a digital envelope. This application is also 
compatible with PEM methods. 

The standard also describes a syntax for RSA public keys and private keys. The public- 
key syntax would be used in certificates; the private-key syntax would be used typically 
in PKCS #8 private-key information. The public-key syntax is identical to that in both 
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X.509 and Privacy-Enhanced Mail. Thus X.509/PEM RSA keys can be used in this 
standard. 

The standard also defines three signature algorithms for use in signing X.509/PEM 
certificates and certificate-revocation lists, PKCS #6 extended certificates, and other 
objects employing digital signatures such as X.401 message tokens. 

Details on message-digest and content-encryption algorithms are outside the scope of this 
standard, as are details on sources of the pseudorandom bits required by certain methods 
in this standard. 
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3. Definitions 

For the purposes of this standard, the following definitions apply. 

Algorithmldentif ier: A type that identifies an algorithm (by object identifier) and 
associated parameters. This type is defined in X.509. 

ASN.l: Abstract Syntax Notation One, as defined in X.208. 

BER: Basic Encoding Rules, as defined in X.209. 

DES: Data Encryption Standard, as defined in FIPS PUB 46-1. 

MD2: RSA Data Security, Inc.'s MD2 message-digest algorithm, as defined in RFC 1319. 
MD4: RSA Data Security, Inc.'s MD4 message-digest algorithm, as defined in RFC 1320. 
MD5: RSA Data Security, Inc.'s MD5 message-digest algorithm, as defined in RFC 1321. 
modulus: Integer constructed as the product of two primes. 

PEM: Internet Privacy-Enhanced Mail, as defined in RFC 1*423 and related documents. 
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RSA: The RSA public-key cryptosystem, as defined in [RSA78]. 
private key: Modulus and private exponent, 
public key: Modulus and public exponent. 

4. Symbols and abbreviations 



Upper-case italic symbols (e.g., BT) denote octet strings and bit strings (in the case of the 
signature S); lower-case italic symbols (e.g., c) denote integers. 



ab 


hexadecimal octet value 


c 


exponent 


BT 


block type 


d 


private exponent 


D 


data 


e 


public exponent 


EB 


encryption block 


k 


length of modulus in octets 


ED 


encrypted data 


n 


modulus 


M 


message 


p,q 


prime factors of modulus 


MD 


message digest 


X 


integer encryption block 


MD' 


comparative message digest 


y 


integer encrypted data 


PS 


padding string 


mod n modulo n 


S 


signature 


X\\Y 


concatenation of X, Y 


[X\ length in octets of X 



5. General overview 

The next six sections specify key generation, key syntax, the encryption process, the 
decryption process, signature algorithms, and object identifiers. 

Each entity shall generate a pair of keys: a public key and a private key. The encryption 
process shall be performed with one of the keys and the decryption process shall be 
performed with the other key. Thus the encryption process can be either a public-key 
operation or a private-key operation, and so can the decryption process. Both processes 
transform an octet string to another octet string. The processes are inverses of each other 
if one process uses an entity's public key and the other process uses the same entity's 
private key. 

The encryption and decryption processes can implement either the classic RSA 
transformations, or variations with padding. 
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6. Key generation 

This section describes RSA key generation. 

Each entity shall select a positive integer e as its public exponent. 

Each entity shall privately and randomly select two distinct odd primes p and q such that 
and e have no common divisors, and (<?-l) and e have no common divisors. 

The public modulus n shall be the product of the private prime factors/? and q: 

n=pq. 

The private exponent shall be a positive integer d such that de-l is divisible by both/7-1 
and q-\. 

J 

The length of the modulus n in octets is the integer k satisfying 

28(*- 1 ><h<2 8 *. 

The length k of the modulus must be at least 12 octets to accommodate the block formats 
in this standard (see Section 8). 

Notes. 

1. The public exponent may be standardized in specific applications. The 
values 3 and F 4 (65537) may have some practical advantages, as noted in 
X.509 Annex C. 

2. Some additional conditions on the choice of primes may well be taken into 
account in order to deter factorization of the modulus. These security 
conditions fall outside the scope of this standard. The lower bound on the 
length k is to accommodate the block formats, not for security. 

7. Key syntax 

This section gives the syntax for RSA public and private keys. 
7.1 Public-key syntax 

An RSA public key shall have ASN. 1 type RSAPublicKey: 
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RSAPublicKey :: = SEQUENCE { 
modulus INTEGER, n 
publicExponent INTEGER -- e } 

(This type is specified in X.509 and is retained here for compatibility.) 

The fields of type RSAPublicKey have the following meanings: 

• modulus is the modulus n. 

• publicExponent is the public exponent e. 



7.2 Private-key syntax 

An RSA private key shall have ASN.l type RSAPrivateKey: 

RSAPrivateKey :: = SEQUENCE { 
version Version, 
modulus INTEGER, n 
publicExponent INTEGER, e 
privateExponent INTEGER, d 
primel INTEGER, -- p 
prime2 INTEGER, q 
exponent 1 INTEGER, d mod (p-1) 
exponent 2 INTEGER, d mod (q-1) 
coefficient INTEGER (inverse of q) mod p } 

Version : : = INTEGER 

The fields of type RSAPrivateKey have the following meanings: 

• version is the version number, for compatibility with future revisions of 
this standard. It shall be 0 for this version of the standard. 

• modulus is the modulus n. 

• publicExponent is the public exponent e. 

• privateExponent is the private exponent d. 

• primel is the prime factor p of n. 

• prime 2 is the prime factor q of n. 

• exponent 1 is d mod (p-1). 

• exponent2 is d mod 
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• coefficient is the Chinese Remainder Theorem coefficient gr 1 mod 

Notes. 

1. An RSA private key logically consists of only the modulus n and the 
private exponent d. The presence of the values p, q, d mod (p-1), d mod 

and mod p is intended for efficiency, as Quisquater and 
Couvreur have shown [QC82]. A private-key syntax that does not include 
all the extra values can be converted readily to the syntax defined here, 
provided the public key is known, according to a result by Miller [Mil76]. 

2. The presence of the public exponent e is intended to make it 
straightforward to derive a public key from the private key. 



8. Encryption process 

This section describes the RSA encryption process. 

The encryption process consists of four steps: encryption-block formatting, octet-string- 
to-integer conversion, RSA computation, and integer-to-octet-string conversion. The 
input to the encryption process shall be an octet string D, the data; an integer n, the 
modulus; and an integer c, the exponent. For a public-key operation, the integer c shall be 
an entity's public exponent e; for a private-key operation, it shall be an entity's private 
exponent d. The output from the encryption process shall be an octet string ED, the 
encrypted data. 

The length of the data D shall not be more than £-11 octets, which is positive since the 
length k of the modulus is at least 12 octets. This limitation guarantees that the length of 
the padding string PS is at least eight octets, which is a security condition. 

Notes. 

1 . In typical applications of this standard to encrypt content-encryption keys 
and message digests, one would have \\D\\ < 30. Thus the length of the 
RSA modulus will need to be at least 328 bits (41 octets), which is 
reasonable and consistent with security recommendations. 

2. The encryption process does not provide an explicit integrity check to 
facilitate error detection should the encrypted data be corrupted in 
transmission. However, the structure of the encryption block guarantees 
that the probability that corruption is undetected is less than 2™ 16 , which is 
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an upper bound on the probability that a random encryption block looks 
like block type 02. 

3. Application of private-key operations as defined here to data other than an 
octet string containing a message digest is not recommended and is subject 
to further study. 

4. This standard may be extended to handle data of length more than £-11 
octets. 

8.1 Encryption-block formatting 

A block type BT, a padding string PS, and the data D shall be formatted into an octet 
string EB y the encryption block. 

EB = 00 \\BT\\ PS \\0Q \\D. (1) 

The block type BT shall be a single octet indicating the structure of the encryption block. 
For this version of the standard it shall have value 00, 01, or 02. For a private-key 
operation, the block type shall be 00 or 01. For a public-key operation, it shall be 0 2. 

The padding string PS shall consist of £-3-||D|| octets. For block type 0 0, the octets shall 
have value 00; for block type 01, they shall have value FF; and for block type 02, they 
shall be pseudorandomly generated and nonzero. This makes the length of the encryption 
block EB equal to k. 

Notes. 

1. The leading 0 0 octet ensures that the encryption block, converted to an 
integer, is less than the modulus. 

2. For block type 00, the data D must begin with a nonzero octet or have 
known length so that the encryption block can be parsed unambiguously. 
For block types 01 and 02, the encryption block can be parsed 
unambiguously since the padding string PS contains no octets with value 
0 0 and the padding string is separated from the data D by an octet with 
value 00. 

3. Block type 01 is recommended for private-key operations. Block type 01 
has the property that the encryption block, converted to an integer, is 
guaranteed to be large, which prevents certain attacks of the kind proposed 
by Desmedt and Odlyzko [D086]. 

4. Block types 01 and 02 are compatible with PEM RSA encryption of 
content-encryption keys and message digests as described in RFC 1423. 
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5. For block type 02, it is recommended that the pseudorandom octets be 
generated independently for each encryption process, especially if the 
same data is input to more than one encryption process. Hastad's results 
[Has88] motivate this recommendation. 

6. For block type 02, the padding string is at least eight octets long, which is 
a security condition for public-key operations that prevents an attacker 
from recoving data by trying all possible encryption blocks. For simplicity, 
the minimum length is the same for block type 01. 

7. This standard may be extended in the future to include other block types. 



8.2 Octet-string-to-integer conversion 

The encryption block EB shall be converted to an integer x, the integer encryption block. 
Let EBi, . . EBfc be the octets of EB from first to last. Then the integer x shall satisfy 

k 

x-^lW-VEBi. (2) 

In other words, the first octet of EB has the most significance in the integer and the last 
octet of EB has the least significance. 

Note. The integer encryption block x satisfies 0 < x < n since EB[ = 00 and 2 8 (* -1 ) < n. 



8.3 RSA computation 

The integer encryption block x shall be raised to the power c modulo n to give an integer 
y, the integer encrypted data. 

j/ = x c mod«, 0<y<n. 
This is the classic RSA computation. 



8.4 Integer-to-octet-string conversion 

The integer encrypted data y shall be converted to an octet string ED of length k f the 
encrypted data. The encrypted data ED shall satisfy 

k 

y = J]2 8 (*-0£D / . (3) 
where ED^ y ED^ are the octets of ED from first to last. 
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In other words, the first octet of ED has the most significance in the integer and the last 
octet of ED has the least significance. 

9. Decryption process 

This section describes the RSA decryption process. 

The decryption process consists of four steps: octet-string-to-integer conversion, RSA 
computation, integer-to-octet-string conversion, and encryption-block parsing. The input 
to the decryption process shall be an octet string ED, the encrypted data; an integer w, the 
modulus; and an integer c, the exponent. For a public-key operation, the integer c shall be 
an entity's public exponent e; for a private-key operation, it shall be an entity's private 
exponent d. The output from the decryption process shall be an octet string Z), the data. 

It is an error if the length of the encrypted data ED is not k. 

For brevity, the decryption process is described in terms of the encryption process. 

9.1 Octet-string-to-integer conversion 

The encrypted data ED shall be converted to an integer y, the integer encrypted data, 
according to Equation (3). 

It is an error if the integer encrypted data>> does not satisfy 0<y<n. 

9.2 RSA computation 

The integer encrypted data y shall be raised to the power c modulo n to give an integer x, 
the integer encryption block. 

x mod n 9 0<x<n . 
This is the classic RSA computation. 

9.3 Integer-to-octet-string conversion 

The integer encryption block x shall be converted to an octet string EB of length k, the 
encryption block, according to Equation (2). 
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9.4 Encryption-block parsing 

The encryption block EB shall be parsed into a block type BT, a padding string PS, and 
the data D according to Equation (1). 

It is an error if any of the following conditions occurs: 

• The encryption block EB cannot be parsed unambiguously (see notes to 
Section 8.1). 

• The padding string PS consists of fewer than eight octets, or is inconsistent 
with the block type BT. 

• The decryption process is a public-key operation and the block type BT is 
not 0 0 or 01, or the decryption process is a private-key operation and the 
block type is not 02. 



10. Signature algorithms 

This section defines three signature algorithms based on the RSA encryption process 
described in Sections 8 and 9. The intended use of the signature algorithms is in signing 
X.509/PEM certificates and certificate-revocation lists, PKCS #6 extended certificates, 
and other objects employing digital signatures such as X.401 message tokens. The 
algorithms are not intended for use in constructing digital signatures in PKCS #7. The 
first signature algorithm (informally, "MD2 with RSA") combines the MD2 message- 
digest algorithm with RSA, the second (informally, "MD4 with RSA ,f ) combines the 
MD4 message-digest algorithm with RSA, and the third (informally, "MD5 with RSA") 
combines the MD5 message-digest algorithm with RSA. 

This section describes the signature process and the verification process for the two 
algorithms. The "selected" message-digest algorithm shall be either MD2 or MD5, 
depending on the signature algorithm. The signature process shall be performed with an 
entity's private key and the verification process shall be performed with an entity's public 
key. The signature process transforms an octet string (the message) to a bit string (the 
signature); the verification process determines whether a bit string (the signature) is the 
signature of an octet string (the message). 

Note, The only difference between the signature algorithms defined here and one of the 
the methods by which signatures (encrypted message digests) are constructed in PKCS #7 
is that signatures here are represented here as bit strings, for consistency with the X.509 
SIGNED macro. In PKCS #7 encrypted message digests are octet strings. 
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10.1 Signature process 

The signature process consists of four steps: message digesting, data encoding, RSA 
encryption, and octet-string-to-bit-string conversion. The input to the signature process 
shall be an octet string Af, the message; and a signer's private key. The output from the 
signature process shall be a bit string S, the signature. 



10.1.1 Message digesting 

The message M shall be digested with the selected message-digest algorithm to give an 
octet string MD, the message digest. 



10.1.2 Data encoding 

The message digest MD and a message-digest algorithm identifier shall be combined into 
an ASN.l value of type Digest Info, described below, which shall be BER-encoded to 
give an octet string D, the data. 

Digestlnfo :: = SEQUENCE { 

digestAlgorithm Digest Algorithmldentif ier , 
digest Digest } 

DigestAlgorithmldentif ier : := Algorithmldentif ier 
Digest :: = OCTET STRING 

The fields of type Digestlnfo have the following meanings: 

• digestAlgorithm identifies the message-digest algorithm (and any 
associated parameters). For this application, it should identify the selected 
message-digest algorithm, MD2, MD4 or MD5. For reference, the relevant 
object identifiers are the following: 

md2 OBJECT IDENTIFIER ::= 

{ iso(l) member -body (2) US (840) rsadsi (113549) 
digestAlgorithm ( 2 ) 2 } 
md4 OBJECT IDENTIFIER ::= 

{ iso(l) member-body (2) US (840) rsadsi (113549) 
digestAlgorithm ( 2 ) 4 } 
md5 OBJECT IDENTIFIER ::= 

{ iso(l) member-body (2) US(840) rsadsi (113549) 
digestAlgorithm ( 2 ) 5 } 

For these object identifiers, the parameters field of the 
digestAlgorithm value should be NULI*. 
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• digest is the result of the message-digesting process, i.e., the message 
digest MD. 

Notes. 

1. A message-digest algorithm identifier is included in the Digest Info 
value to limit the damage resulting from the compromise of one message- 
digest algorithm. For instance, suppose an adversary were able to find 
messages with a given MD2 message digest. That adversary might try to 
forge a signature on a message by finding an innocuous-looking message 
with the same MD2 message digest, and coercing a signer to sign the 
innocuous-looking message. This attack would succeed only if the signer 
used MD2. If the Digestlnf o value contained only the message digest, 
however, an adversary could attack signers that use any message digest. 

2. Although it may be claimed that the use of a SEQUENCE type violates the 
literal statement in the X.509 SIGNED and SIGNATURE macros that a 
signature is an ENCRYPTED OCTET STRING (as opposed to 
ENCRYPTED SEQUENCE), such a literal interpretation need not be 
required, as I 1 Anson and Mitchell point out [IM90]. 

3. No reason is known that MD4 would not be sufficient for very high 
security digital signature schemes, but because MD4 was designed to be 
exceptionally fast, it is "at the edge" in terms of risking successful 
cryptanalytic attack. A message-digest algorithm can be considered 
"broken" if someone can find a collision: two messages with the same 
digest. While collisions have been found in variants of MD4 with only two 
digesting "rounds" [Mer90][dBB92], none have been found in MD4 itself, 
which has three rounds. After further critical review, it may be appropriate 
to consider MD4 for very high security applications. 

MD5, which has four rounds and is proportionally slower than MD4, is 
recommended until the completion of MD4*s review. The reported 
"pseudocollisions" in MD5*s internal compression function [dBB93] do 
not appear to have any practical impact on MDS's security. 

MD2, the slowest of the three, has the most conservative design. No 
attacks on MD2 have been published. 

10.1,3 RSA encryption 

The data D shall be encrypted with the signer's RSA private key as described in Section 7 
to give an octet string ED, the encrypted data. The block type shall be 01. (See Section 
8.1.) 
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10.1.4 Octet-string-to-bit-string conversion 

The encrypted data ED shall be converted into a bit string S, the signature. Specifically, 
the most significant bit of the first octet of the encrypted data shall become the first bit of 
the signature, and so on through the least significant bit of the last octet of the encrypted 
data, which shall become the last bit of the signature. 

Note. The length in bits of the signature S is a multiple of eight. 
10.2 Verification process 

The verification process for both signature algorithms consists of four steps: bit-string-to- 
octet-string conversion, RSA decryption, data decoding, and message digesting and 
comparison. The input to the verification process shall be an octet string M, the message; 
a signer's public key; and a bit string S y the signature. The output from the verification 
process shall be an indication of success or failure. 

10.2.1 Bit-string-to-octet-string conversion 

The signature S shall be converted into an octet string ED, the encrypted data. 
Specifically, assuming that the length in bits of the signature S is a multiple of eight, the 
first bit of the signature shall become the most significant bit of the first octet of the 
encrypted data, and so on through the last bit of the signature, which shall become the 
least significant bit of the last octet of the encrypted data. 

It is an error if the length in bits of the signature S is not a multiple of eight. 

10.2.2 RSA decryption 

The encrypted data ED shall be decrypted with the signer's RSA public key as described 
in Section 8 to give an octet string £>, the data. 

It is an error if the block type recovered in the decryption process is not 01. (See Section 
9.4.) 

10.23 Data decoding 

The data D shall be BER-decoded to give an ASN.l value of type Digest Info, which 
shall be separated into a message digest MD and a message-digest algorithm identifier. 
The message-digest algorithm identifier shall determine the "selected" message-digest 
algorithm for the next step. 

It is an error if the message-digest algorithm identifier does not identify the MD2, MD4 
or MD5 message-digest algorithm. 
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10.2.4 Message digesting and comparison 

The message M shall be digested with the selected message-digest algorithm to give an 
octet string MD\ the comparative message digest. The verification process shall succeed 
if the comparative message digest MD l is the same as the message digest MD, and the 
verification process shall fail otherwise. 



11. Object identifiers 

This standard defines five object identifiers: pkcs-1, rsaEncryption, 
md2WithRSAEncryption, md4WithRSAEncryption 5 and 

mdSWithRSAEncryption. 

The object identifier pkcs - 1 identifies this standard. 

pkcs-1 OBJECT IDENTIFIER ::= 

{ iso(l) member -body (2) US (840) rsadsi (113549) 
pkcs(l) 1 } 

The object identifier rsaEncryption identifies RSA public and private keys as 
defined in Section 7 and the RSA encryption and decryption processes defined in 
Sections 8 and 9. 

rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1 } 

The rsaEncryption object identifier is intended to be used in the algorithm field 
of a value of type Algorithmldentif ier. The parameters field of that type, 
which has the algorithm-specific syntax ANY DEFINED BY algorithm, would have 
ASN.l type NULL for this algorithm. 

The object identifiers md2WithRSAEncryption, md4WithRSAEncryption, 
mdSWithRSAEncryption, identify, respectively, the "MD2 with RSA," "MD4 with 
RSA," and M MD5 with RSA" signature and verification processes defined in Section 10. 

md2WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 2 } 
md4WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 3 } 
mdSWithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 4 } 

These object identifiers are intended to be used in the algorithm field of a value of 
type Algorithmldentif ier. The parameters field of that type, which has the 
algorithm-specific syntax ANY DEFINED BY algorithm, would have ASN.l type 
NULL for these algorithms. 

Note. X.509's object identifier rsa also identifies RSA public keys as defined in Section 
7, but does not identify private keys, and identifies different encryption and decryption 
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processes. It is expected that some applications will identify public keys by rsa. Such 
public keys are compatible with this standard; an rsaEncryption process under an 
rsa public key is the same as the rsaEncryption process under an 
rsaEncryption public key . 
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Revision history 
Versions 1.0-1.3 

Versions 1.0-1.3 were distributed to participants in RSA Data Security, Inc.'s Public-Key 
Cryptography Standards meetings in February and March 1991. 

Version 1.4 

Version 1.4 is part of the June 3, 1991 initial public release of PKCS. Version 1.4 was 
published as NIST/OSI Implementors' Workshop document SEC-SIG-91-18. 

Version 1.5 

Version 1.5 incorporates several editorial changes, including updates to the references 
and the addition of a revision history. The following substantive changes were made: 

• Section 10: "MD4 with RSA" signature and verification processes are 



added. 



Section 11: md4WithRSAEncryption object identifier is added. 
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ABSTRACT . We introduce a new class of public-key 
functions involving a number n * p-q having two 
large prime factors. As usual, the key n is public, 
while p and q are the private key used by the 
issuer for production of signatures and function 
inversion. These functions can be used for all the 
applications involving public-key functions proposed 
by Diffie and Hellman [2], including digitalized 
signatures. We prove that for any given n, if we 
can invert the function y = E„( x ) for even a sma11 
percentage of the values y then we can factor n . 
Thus as long as factorization of large numbers 
remains practically intractable, for appropriatly 
chosen keys not even a small percentage of signatures 
are forgerable. Breaking the RSA function [6] is 
at most as hard as factorization .but is not known to 
be equivalent to factorization even in the weak sense 
that ability to invert all function values entails 



ability to factor the key. Computation time for 
these functions, i.e. signature verification, 1s 
several hundred times faster than for the RSA scheme 
in [6]. Inversion time, using the private key, 
is comparable. The al mos t-e verywhere intractability 
of signature-forgery for our functions (on the 
assumption that factoring is intractable) is of 
great practical significance and seems, to be the 
first proved result of this kind. 

Key words. Public-key functions, Digitallzed 
signatures, Factorization, Intractable problems. 



INTRODUCTION 



In their fundamental paper [2] Diffie and 
Hellman have shown how public key trap door functions 
can be employed for the solution of various problems 
arising in electronic mail, including the production 
of digital i zed signatures. An example of a pub lie- 
key function usable for digital ized signatures was 
given in the elegant paper [6 ] by Rivest, Adelman, 
and Shamir, who introduced a trap-door one-way function 
employing a number n factorable into a product 
n = p*q of two large primes. The decoding algorithm 
given in [6] for this function requires knowledge 
of the factors p, q of n. It is, however, conceivable 
that another decoding algorithm exists that does not 
involve or imply factorization of n. Thus, breaking 
this one-way function is at most as difficult as 
factorization, but possibly easier. 

We present a different public key function which 
can be used for digital ized signatures, and all the 
other applications, in the same way as the above- 
mentioned function. The function in [6J is 1-1. 
Our function 1s four to one, but this causes only 
slight modifications in the applications. 



For this new function we can prove that the 
ability to forge signatures or decode messages is 
equivalent to the ability to factor large numbers. 
In fact, for any given n , a signature forgery or 
inversion algorithm effective in just a small 
percentage of all cases, say one case in a thousand, 
already leads to a factorization of n . By 
inversion we mean finding for a number y in the 
range of E one of the x such that £(x) = y. 

In view of the present-day intractability of 
the factorization problem, this fact lends substantial 
support to the viability of our public-key function. 
As long as it is impossible in practice to factor 
large numbers, it will be impossible for a fixed key 
to forge signatures even for a small percentage of 
all messages. 

The fact that we are able to prove, on the 
assumption that factoring is hard, that for our 
function, for a fixed key n whose factorization 
is not given, inversion must be hard for almost all 
messages is of great significance. For other trap 
door functions it may be the case that even though 
worst case complexity or even average complexity 
are high, in say one percent of cases Inversion is 



easy. From a commercial point of view this would pose 
an unacceptable risk. For example, an adversary can 
randomly search by computer for messages useful to 
him, such as payment instructions, on which he can 
forge signatures. To the best of our knowledge, we 
have in this article the first example of an almost 
everywhere difficult problem of this type. 

In addition, computation time for this function 
is several hundred times faster, and inversion 
when p,q are known.is about eight times*faster than 
the corresponding algorithms in [6]. If we invert 
the RSA function by Chinese Remaindering, as we do 
here, then inversion time for the two functions are 
comparable. 

Theorems 1 and 2 concerning the equivalence of 
square-root extraction with factorisation, are perhaps 
also of independent number-theoretic interest. 

1. THE PUBLIC-KEY FUNCTION 

Let n = p*q be the product of two large primes 
p,q, and let 0 < b < n . 

DEFINITION 1: The function E p b (x) is defined for 

0<x<n by E n . lx) = x(x+b) mod n, 0<E nK (x)<n. 

n , o — n , o 

Computation of E(x), for fixed n,b, requires 
one addition, one multiplication, and one division of 



x(x+b) by n to find the residue E n b (x). Note 

that only the public key n,b, but not the factorization 

n = p - q , is required for encoding. 

2. INVERSION ALGORITHMS 

Given c H x(x+b) mod n, we want to find the 
four values 0 < x i < n, 1 < 1 £ 4 such that E(x.) » c. 
We assume of course that the private key, i.e. the 
factors of n , are known. 

Throughout this paper res(A.B) will denote the 
residue of A when divided by B, and IA,8) will 
denote the greatest common divisor (g.c.d.) of A 
and B. 

The decoder, who is the issuer of the public 
key n,b, knows the factorization n = p-q. Clearly, 
it sufficies to solve the equation x(x + b) =c 
separately mod p and mod q and then find a solution 
mod n . 

Let a be an integer so that a = I mod p , . 
a = 0 mod q, and 0 satisfy b = 1 modq, 
b = mod p . If r and s satisfy the congruence 
mod p and modq respectively, then z = ar + bs 
solves the congruence mod n , and x = res(z,n) 
is the sought-after solution. 



In what follows let p be a fixed prime. We 
shall understand all integers a_ to be residues 
mod p, i.e., 0 < a < p . For d a quadratic 
residue (q.r.) mod p, /3 will denote any one of 
the two integers such that (/3) = mod p , and 
- /d will denote p * /d. 

To solve 

(1 ) f U) = x 2 + bx - c = mod p 

2 2 

1 et d = b/ 2 mod p then (x+d) = c + d mod p , 
x = - d t /c+d 2 . We can solve the equation (1) 
as soon as we can extract square roots mod p, I.e., 
solve y - m = 0 mod p . 

Assume first that p = 4k - 1 so that 4[(p+l). 

V- 

Since m is a q.r., m s 1 mod p. We claim that 

(2) i - M = m mod p 

is one of the two square roots of m. Namely, 

t z = m = m-m = m mod p . 
Thus one implementation of the function would use p 
and q such that p = q = 3 mod 4, and the decoding algorithm 
(2). 

For p = 4k + 1 we directly solve the equation (1) 
by a probabilistic algorithm. This is a special case of 
Berlekamp's root-finding in GF(p) algorithm given in [1]. 



The short proof given here is taken from [5]. where 
generalizations to GF(p n ) appear. If the roots of (1) 
are a, Be GF(p) then x 2 + b x - c = ( x - a) ( x - 0) The 

roots in GF(p) of the polynomial equation x -1=0 

are exactly the quadratic residues aeGF(p). Consequently, 

if a is a quadratic residue while B is not, then 

(x - 1, f(x)) 3 x - a, so that a and subsequently 

& = -(b+a) mod p are readily found. 

Assume that a and B are of the same type , i.e., 
both quadratic residues (q.r.) or both quadratic non-resi- 
dues mod p. and that a*8. Let 0 < 6 < p then a + 6 and 
3+6 are of the same type if and only if (a+5)/(B+5) is 
a q.r. mod p. As 6 takes all values 0 < 5 < p except . . 
6 '« -8, the quotient (a+5)/(0+<5) takes all values 
0 < y < P except y » 1 . Thus for exactly choices 
6, a+6 and 8+C will not be of the same type. 

Since f(x-«) = (x-a-5) (x-o-B). we have that for a . 
Jiandom choice of 0 < 5 < p, with probability 1/2 

(3) (x 2 -1, f(x-<5)) - x - a - 6 or x - B - «• 

Thus on the average two values of 6 have to be tried for 
finding the roots of (1 ) . 

The computation of the g.c.d. (3) requires 0{1ogap) 
operations in GF(p), i.e., additions and multiplications 



mod p. Namely, by essentially repeated squarings start- 
ing with x, compute x + h = res(x f(x-6)). Whenever 
a quadratic polynomial is encountered, divide by f(x-fi) 
to produce a linear polynomial. Note that x is a formal 
variable so that all computations involve just pairs of 
residues mod p. Now by (3') , x + h - 1 isx-a-5 or 
x - 0 - 6 • so that -5 - h + 1 is a root of (1). 

3. USE IN SIGNATURES 

To employ E for signatures the signer P produces 
two large primes p,q by use of one of the prime-testing 
algorithms [3,7]. He forms n = p-q, chooses a number 
0 < b < n and publicizes the pair (n,b) (but not the 
factors p,q) - 

By convention, when wishing to sign a given message, 
M,P adds as suffix a word U of an agreed upon length k. 
The choice of U is randomized each time a message is to 
be signed. The signer now compresses H x =» MU by a hash- 
ing function to a word C(Mi) = c, so that as a binary 
number c < n; see [4]. The computation of C( ) is publicly 
known, so that c = C(Mi) is checkable by everybody. 

P now checks whether for this c the congruence 



(4) 



x(x+b) s c mod n 



is solvable. 

By the analysis of Section 2, this congruence is 
solvable if and only if m * c + d 2 is a q.r. mod p and 
mod q. Thus testing the solvability of (4) amounts to 
computing the Jacobi Symbols (^-) and (^) which is 
essentially a g.c.d. type computation. 

Tf congruence (4) is not solvable then P picks another 
random \) x and tries ci » C(MUi). The expected number of 
tries is 4. When for some U the congruence (4) is 

r 

solvable for c = C(MU), P finds a solution x. 

DEFINITION 2 : For a given public key n,b used by P and . 
an agreed upon compressing function C( ) and integer k, 
P's signature on a message M is a pair U,x where • 
£(U) = k and x(x + b) = C{MU) mod n. 

Anybody can check P's signature by computing 
c a C(MU) and testing whether x(x+b) £ c mod n. 

The randomization of the suffix U of M also adds - 
protection against possible attacks on the function E. 
Without the suffix, an adversary may attempt to feed to 
P messages M for his signature, hoping to learn the 
factorization of n from the solution of x(x+b) = C(M) 
mod n f which will be produced by P as his signature. 
Actually, this does not seem a serious threat because of 
the hashing effected by C(M). 
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However, the randomized suffix of length k leads 
to essentially 2 possible random values for c * C(MU). 
Thus for, say, k - 60, the adversary has no effective 
control over the congruence (4) that P will solve. 

4. INVERSION IS EQUIVALENT TO FACTORIZATION 

We now want to show that if an adversary can invert 
E n b (x) by any algorithm then he can factor n. By invert 
ing we mean finding for y one of the four x such that 
E n b^ " y * Finding one such x is sufficient for the 
would be signature forger, so that we want to show that 
this is hard. Thus the problem of, say, forging P*s . 
signatures is exactly as intractable as the factorization 
of a number n which is a product of large primes. As 
mentioned in the Introduction, the scheme in [6] is at 
mo*£ as safe as factorization but conceivably easier to 
crack. 

In the following theorem we count an addition of num- 
bers a,b» £ n as one operation. 

It is readily seen that if we can solve (4) for fixed 
n,b and arbitrary c then we can extract square roots, 
i.e., solve y 2 = m mod n whenever a solution exists. 
Namely, letting b = 2d mod n{n is odd) and m = c + d 2 
mod n, (4) turns into 
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x 2 + 2dx + d 2 = (x+d) 2 = m mod n. 
Thus our result follows from 

THEOREM 1 : Let AL be an algorithm for finding one of 
the solutions of 

(5) y 2 = m mod n 

whenever a solution exists, and requiring F(n) steps. 
There exists an algorithm for factoring n requiring 
2F(n) + 21og 2 n steps. 

?kqo&. Assume that n = p-q 1s a product of two primes, . 
the case relevant for E n The proof easily extends to 
the general case. 

For any 0 < k < n, (k,n) = 1, there are exactly four 
solutions for the congruence 

y 2 = k 2 mod n. 

Namely, let res(k,p) = r, res(k,q) = s then the solutions 
y of this congruence satisfy res(y,p) = ±r mod p,res(y,q) * 
= ±s mod q and each of the four sign combinations gives rise 
to a different solution. Defining for 0 ±¥i*yz < n,yi^y 2 
to mean y 2 = y! mod n, we see that this equivalence relation 
decomposes the set 0 < y < n, (y,n) = 1 into classes each 
containing four elements. 

Denote by i/m the solution of (5) by AL for any 
m, (m,n) =1. If AL produces more than one solution then 



the factorization algorithm that follows is even further 
facil itated. 

Choose at random a number 0 < k < n. If (k,n)?M 
then we directly get a factor of n. In practice, this 
possibility can be neglected. Compute k* = m mod n. 

Compute ki - /m by AL. Now, k 1s i n the eq ui val ence 
class, by the relation ^, of ki. In a random choice of 
0 < k < n, all four possible choices of numbers within 
any class are equally likely. Hence with probability 1/2 

k = k i mod p , k = - k l mod q 
or k = - ki mod p, k = ki mod q 

Therefore with probability 1/2 

(6) (k-ki,n) = p or q. 

The computation of /m requires F(n) steps. The 
computation of the g.c.d. (6) requires at most log 2 n 
subtractions and divisions by 2, of numbers smaller than ' n. 
Hence the expected number of steps 1s 2F(n) + 2 log 2 n. 

If we count bit-operations then subtraction of numbers 
smaller than n requires at most log 2 n bit-operations 
and the bound 1s 2F(n) + 2(log 2 n)?. 

The previous theorem may be strengthened to cover the 
situation that for the given key E n fa can be decoded In 
just a small percentage of all cases. 
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THEOREM, 2 : If AL solves (5) in F(n) steps for 1/e 
of the 0 < m < n, (m,n) * 1, for which (5) has a solution, 
then there is an algorithm for factoring n requiring 
2eF(n) + ,21og 2 n steps. 

PA.ootf. As in the proof of Theorem 1, choose a 0 < k < n at 
random and compute k a = m mod n. Apply AL to find /in. 
If the computation runs more than F(n) steps abort it- 
and choose another k. Whenever a root ki = /m is found, 
compute (k-ki,n). The analysis in the proof of Theorem 1 
implies that with probability 1/2 each such try produces 
a factorization of n. 

The expected number of choices of k leading to a i/m 
is e, and the expected number of iucceA^e* of AL * needed 
for a factorization, is 2. Thus the total expected number 
of steps is 2eF(n) + 21og 2 n. Note that we embark on the 
second phase of the factorization only after a success of 
AL in finding /m. 

If for example e = 1000, and F(n) were not prohibi- 
tively large, then an adversary, could factor n in 
2000 F(n) + 21og 2 n steps. Consequently, if no practical 
algorithm for factoring n is poss i bl e ,then no practical 
decoding algorithm could work in even 1/1000 of all cases. 



5. GENERALIZATIONS 



The above method of construction of a one-way function 
can be extended to employ polynomials or powers of x of 
small degrees other than 2. 

Assume for example that n * p*q, where p and q 
are primes of the form 3k + 1 . The one-way function will 
be E(x) = x 3 mod n* The decoding is effected by solving 
x 3 - m = 0 mod p and mod q by a probabilistic algorithm 
similar to the one used in Section 2. Again one can prove 
that any algorithm for extracting cubic roots leads, for n 
of the above form, to a factorization of n. 

The probability that x* = w mod n is solvable for a 
random w is 1/9. Thus for utilization in signatures the 
quadratic scheme seems best. 
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INTRODUCTION 



Tor the transmission of information in public-key crypto- 
sys terns a receiver R makes an enciphering key E R public and keeps 
a deciphering key D„ secret, A sender S can read R's public key 
E R and enciphers a message M as E«(M) . Only the authorised 
receiver R knows the correct key f>. to reproduce the massage M by 
forming D R (£ (M)) « M. Here the Key E R has to be computationally 
easy to handle, but it has to be computationally infeasible to 
derive D R from the knowledge of E R above. If sender S wants to 
"sign" tna message, she sends E^tLcM)) and the receiver deciphers 
it as E 5 (D R <E^(D (M)))) =» M. ^*ere E $ and D g are the enciphering 
and deciphering keys, respectively, of S. 



In order to have signatures like this we have to have the 
property E„ o * D„ o for the keys of a person X. 
ParticularXy simple Co handle are key functions with the 
properties 



(1.1) 



E x o E Y = E^ O E^ E x o D y = D Y o ^ o D y * D y o ^ 



for any persona X and Y. If (L.l) holds we do not have to be 
concerned about the order of the composition of key-functions . 



In the RSA-cryptosystem the key E 
permutation of a set A of' elements 



can be regarded as a 
ers) used for enciphering 



a plain text, D_ is the inverse permutation to E R on A* 
Permutations oc the set A - Z of residue classes modulo 
obtained by using permutation polynomials modulo m. 



m can be 



293 



294 Rudolf Lid) and W'mfried B. Mutter 



These are polynomials which induce a permutation of 2^ on 
substitution of the elements of 2 . In the RSA system the 
permutation polynomials x of Z are used, where (k,<j>(m)) • 1» 
m » pq and p»q are (large) primes. These permutation polynomials 
form a- group .with respect to composition o, we have 
x R 0 x » x , k,l 2 1. In general it is difficult to construct 
permutation polynomials whose inverses are known or are not too 
complicated to construct. 

In this paper we study some questions connected with the 
RSA-cryp cosy stem and its generalisations. We investigate classes 
of polynomials and rational functions for which the task of 
finding inverses is easy and which are suitable for RSA-type 
cry ptosys terns* 

2. POLYNOMIALS IN ONE VARIABLE 

In the RSA-crypcosysteea the polynomials x are usgd for 
enciphering modulo m. The polynomial functions x x from, 2^ 
into itself satisfy conditions (1,1). MuIJLer and Nobauer 
[ll] suggested to replace the polynomials x by the Dickson 
polynomials g k (a,x) to create a modified RSA-cryp tosys tern. 
These polynomials are defined by 

KMMj, (-](-.>'»-" 

For a » 0 we obtain x*\ The polynomials g fe (a,x) also satisfy 

(1.1), since g, (a,x) o g (a,x) « 6v n < a »*>- For a " 1 ther * is a 
simple recurrence relatiSn, cf.[3],for generating these polynomials 

*k+2 " Xg k + 1 + Bfc " °' H ' 2 ' *1 * * ' 

If m • pq, p and q prime, then g (a,x) induces a permutation 
of Z if and only if (k, (p -l)(q -D) = 1 (cf,[4] B [13)). In (4] 
it is also shown that g tt (a,x) is the inverse of g (a,x) if and 
only if kn = 1 (mod n (p 2 -l) (q 2 -U). It is impossible to 
calculate a, and therefore the inverse of g^(a»x) , if the prime 
factors p and q of m are unknown.. 

In this section we investigate which other classes of 
polynomials in one variable can be uaed for modified forms of the 
RSA-cryptoeystem. We suppose that any such class should satisfy 
(1,1) . Since we want to have a cryptosyatem in 2 for an 
arbitrary product a - pq of primes, we require that the desired 
classes of polynomials contain at least one of degree k for any 
positive integer k, 



\ 
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Following Lausch and Nobauer £5] a class C of polynomials 
over $ is a permutable chain if every polynomial in C is of 
degree > 0, for k > 0 there exists a polynomial in C of degree k 
and f(x) and g(x) commute, that is f Q g s g o f for all f F g € C. 
In order to find classes of polynomials for RSA-type cryptosysceras 
with the above properties, we have to find permutable chains over 
Z. A. chain C, ~ {1 o f . o l|i e l} is called a conjugate 
(over Q) of a permutable cHain C =* tfj^j e q[x],i € I>, where 1 
is a linear polynomial* C, is permutaSxe too and conjugacy is 
an equivalence relation on the set of all permutable chains over 
Theorem 3,33 of [5] proves that every permutable chaitj o^er Q is 
some congugata of either the chain of powers S ~ {x,x ,x ,...} or 
the chain of Chebyshev polynomials T - (t-!^ the ith Chebyshev 
polynomial of the first* kind}. Therefore any permutable chain 
over <k contains exactly one polynomial of .degree k. 

All permutable chains over Z are obtained by determining 
those chains which consist of polynomials over Z amongst the 
permutable chains over The chains S and T are permutable . 

over Z. There is a simple connection between the Dickson 
polynomials and the Chebyshev polynomials of the first kind, 
namely 



g k (a t x) * 2(/a) 1 



Thus the polynomials x and g fc (a,x), which can bs used in RSA- 
crypto systems, form permutable chains. Now proposition 3*51 of 
[5j states that all permutable chains over Z are certain 
conjugates of S and T. This shows us how to find all classes of 
polynomials for an USA-type cryptosystem, where a polynomial of 
that class replaces x in the standard RSA-cryptosystem to lead to 
a generalization. 

Theorem 2.1 All possible classes of commuting polynomials for an 
RSA-type cryptosystem are given by the permutable chains 



and 



(H 

fx _ V 



O S O (ux+v) , u,v c Z, u * 0, v -v s Zu 



o T o (ux+v) , u>v e Z, u * 0, v-2 c Zu, 

where S = {x,x 2 ,x 3 ,. and T * ftje. the ith Chebyshev 
polynomial of the first kind}. 

In summary, theorem 2.1 shows that the power polynomials x 
and the Dickson (or Chebyshev) polynomials of degree k are 
essentially the only classes of polynomials such that there is a 
polynomial of degree k in the class for any k e N and that the 
polynomials of a class commute. 
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ON THE CHOICE OF KEYS IN THE RSA-CKYPTOSYSTEM 



the original RSA~c*yptgsystea it is important to choose the 
ing function p,_ x x from Z__ into itself in such a way 



In 

enciphering _ „ .... 

that P. has as feu fixed points as possible- This problem has 
been considered widely, see e.g. [2], [12], [15], A result 
contained, for instance, in [12] says that the permutation P- on 
Z has exactly ((k-l.p-l) + 1) <<k-l,q-l) + 1) fixed points. P 

p<l is a permutation of Z if and only if (k f (p-1) (q-D) - X. 
Moreover, for k - (p-2) (%?2) the permutation of Z hn has exactly 
9 fixed points, since 



pq 



(p~2)(q-2) 



1)2 + 



1)2 + 1) 



This shows 



Proposition 3,1 For odd primes p and q the number of fixed 
points of a permutation P. of Z is always an odd integer > 9. 
Fox k * (p-2)(q-2) P^ has exacti^ 9 fixed points, ^ 

Let [a,b] denote the least common multiple of integers 
a and b. All k with (k f (p-1) (q-D) = 1, (k-l.p-i) - d, and 
(k~l,q-l) « d 2 are obtained by letting k =■ rct ^ d 2 + w ^ ere r is 
any integer satisfying (r , (p-1) (q-1) /d^d^) «■ I- 

Theorem 3.2 Let d x » (k-L,p-l), » (k-l»q-l). All 
permutations P, of Z with exactly (a,+l) (d-^D fixed points are 
obtained,. if we set 8 q » rd.d, I and r is any of the integers 
l,.;.,[p-l,q-l], which satisfies (*, (p-1) (q-D/d^) » 1. 



How let [p~l,q-l] » ^i 1 *--^* 31x6 E{}l'?2^ ~ q l 1 *" q s S 
decompositions into prime factors, then [12] shows that the 



be 



number of k's in theorem 3.2 is given by 



s e,-f r l 



n - TT q* J 



(q^-t^) where 



2 if f .*0 
3 

1 if 0 < f . < e. 

J i 



This result implies 

Proposition 3. 3_ For odd primes p and q the number of 
permutations P, with exactly 9 fixed points is 
e.-2 s V-l 

2 1 TT q. j 

4-2 3 
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A. POLYNOMIALS Itf SEVERAL VARIABLES 



A possible generalization of the RSA-cryptosystem can be 
achieved by considering polynomials in several variables instead of 
x or g k (a,x). Such a generalization has been suggested in [11]. 
Instead of permutation polynomials one has to study permutation 
polynomial vectors* or orthogonal systems (cf. Lidl and 
Niederreiter [8, ch.7])« Let m be as above. A vector 

(p l (X lf ...,X t| > f ..., P n (x 1 X n )) € (Z[x 1> ...,X a ]) tV 

chogonal system for Z n , if this vector induces a 

Z n on substitution of^Ca, > . . . ,a n ) e Z for 
m i n m 



is called an or 
permutation of Z ( 
(x^ , # • ♦ , X^) . 



To give a direct generalization of the RSA-cryptosy stem, the 
n-tuples of the smallest non-negative respresentative of Z m can be 
used as the code alphabet, or alternatively, one subdivides the 
message into n-tuples for enciphering. ^For example, a simple 

orthogonal system for Z^ is (x x 1 , . . *,x n )» where (k^tOn)) « 1 

r i-1 n, For deciphering one has to find 1^9 which 

cisfy k.l. = 1 (mod $(m)) and then forms <x, X ,..-* n ) . 

k.1 1 k li In 

en (x x 1 .--..x n n ) o <*x ••••-"a > " <*i>-- x n >- 



fo 
sacis 
Th 



Corresponding to the Dickson polynomials g^(a,x) there is a 
set of polynomials in n variables which farm an orthogonal system 
for Z t namely the Dickson (or. Chebyshev) polynomials in n 
variables- These polynomials have been studied extensively as to 
their algebraic, analytic and number- theoretic properties, see 
[3], [8], [9], [10]. Here we only describe the simple case n - 2 
and ra - pq, but all results hold for arbitrary n and squarefree 
integers m". 

We define the Dickson polynomials according to [8] as 

fc v -k -k . -k -k , k k 

g v (x,y) - u + v + u v *, g k (x,y) - u + v + u v 



where x 

are elements of C 

in x and y with integral coefficients 
recursive relations of the form 



here u and v 



u + v + u" v~ and y « u + v + uv 

It can be verified that g and J are polynomials 
These polynomials satisfy 



W X,y) " * 8 k+2 (x ' y) + yg k+l U ' y) " 8 k (x,y> = ° 



with initial cortdicions g Q = 3, 



g, - x - Zy, 



8k+3 (x ' y) ~ y W X,y) + x¥ k+l (x ' y) " 8 k (x ' y> 
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with Initial conditions ^ Q * 3, g± - y, g, - y - 2x . 

An explicit expression of these polynomials is given in [8> 

chapter 7] : 

k ' 2 k ( 3 k(-l) 1 ,k-i-2j w i+j, k-2i-3j i 
2i+3j*k 

and 

s k (x,y) - g k (y>x) . 

2 

In £9] it is shown that <g. ,E> form an orthogonal system for Z 

iff (k,p S -l) » 1 for s =» 1,2,3. For m * pq as above, Matthews p 

[10] proved that (g. (x,y) , g* k (x>y)) form an orthogonal system for 

Z 2 iff (k,L) - 1, where 
m 

2 2 
(4.1) L = lcm{lcsi{p-l,p+l,p ^l), lcm{q-l ,q+l ,q +q+l}} • 

The definition of the polynomials in terms of a functional 
equation implies 

<*-2> <S k »¥ k ) 0 (gi.!i> 38 (Siti^kl 5 ' 

Clearly (g^gj) - (x,y). Also <g k ,s k ) * (g^?^ on 2* iff 

(4.3) k 5 1 (mod L) . 

This shows how to find the Inverse pair to a given pair of 
polynomials, namely by solving 

(4.4) kl = 1 (mod L) . 

Xn summary, to use (g k >gf k ) for an RSA-type cryptosystea, we 
subdivide the message into pairs (a,b) of integers < m, encipher 
thfim as (g.Ca.b), l^ajb)) modulo m and transmit this pair of 
integers (mod m) to the receiver, Por deciphering, the receiver 
finds an 1 satisfying (4,4) and forms the composite (4.2) , which 
recovers (a,b) . Since L is impossible to calculate without 
knowing the factors of m, this procedure appears to be secure for 
large primes p and q. As before, m and (g k »"£ k ) ate the public 
key. Only the authorised receiver knows the prime factors and 
can thus calculate the inverse vector (gpl^) • 

5. ON PEKMUTAI10N FUNCTIONS 

In this section we consider the problem of replacing 
polynomials, such as x or g k (a,x) t in the USA-cryptosystam by 
racional functions that induce permutations (mod m) . 
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Levine and Bravley [6] give a simple example of the use of linear 
rational functions over finite fields. 

Let r(x) = g(x)/h(x) be a quotient of polynomials over Z> 

where g and h are relatively prime in z[x]. r(x) is called a 

permutation function modulo a positive integer n if h(b) (mod m) 

is a prime residue class (mod m) for any b e Z and the mapping it : 

Z 2 , ir(b) = h(b)"*g(b) (mod m) ia a permutation* 

A^polynomial g(x) ia a permutation polynomial iff g(x)/l ia a 

permutation function. If m • pq, for primes p and q, then r(x) 

is a permutation function (mod m) iff it ia a permutation function 

(mod p) and (mod q) . (Nobauer [l3] studied the case a =* p , see 

also [7]). Sometimes it is convenient to adjoin a symbol « co Z . 

It is assumed that » » 1/0,0 - 1/°°, 09 + b a » for be Z f b® * « m 

far b * 0, If the quantities r(b) are distinct for al? b e Z u {«} 

then r(x) is called a permutation function over Z^ u {»} . m 

A rational function r(x) is a permutation function for Z u («} 

and for Z iff the degree of the numerator of r(x) is greater than 

the degree of the denominator. We shall only consider rational 

functions of this type and therefore restrict our considerations 

to 2 . 
m 

Redei [L4] studied permutations of finite fields which are 
induced by certain rational functions r (x) • These functions can 
also be used for crypto systems. Let a f 0 be a nonsquare integer 
and let (2) =. _i and («) » -1. wa set 
P 3 

(x + i/5) n » g (x) + h (x)y€ 
n n 

where S n (x) and h (*) polynomials over Z, given explicitly as 



n/2 



n n-2i 



n/2 



d«0 



1=0 



i n-2i-l 

a x 



Rcdei defines a rational function £ n M a ^W/^Cx) pr0vas 
that f (x) is a permutation function modulo a prime p * 2, if n is 
odd anS (n,p+L) - I , p+-n. The construction of f_(x) is such that 




The construction of f (x) 
n 

f (x) + Sa 
n 

f n (x) - 7a ' 



f ta (x) + 



kn 



/a 



f k (f n (x))+ *S 
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Therefore 



(5.2) 



which is an essential property for a function to be useful for our 
purpose. Let TT^ be the permutation of 2 induced by f Q (x) » then 
the product rule 71^7? • lr^ corresponds t8 (5.2), that is the 
product of two permutations of Z is induced by the composite of 
the polynomials belonging co the p f actors. Moreover, 7t 



k - v iff 

x and 



k 5 n <mod p+1) (cf. Redis [l4]). We note that f,(x) 
tt^ = e (the identity map) iff (p+1) | (n-1) • Therefore we can 
easily find the inverse of a given f n (3c) on Z according to 



Lemma 



x iff 



(5.3) nk 51(mod p+1) 



The proof ie essentially contained in [14]. 

How we can state the use of *_(x) in RSA-cryptosy sterna/ 
Let m - pq f p,q two large primes vBicft are kept secret, let n be 
an odd integer with n | p> n | q, (n»p+l) » (n,q+l) a 1. a Is as 
given above. Then f n (x) is a permutation function modulo m. 
This follows immediately from the Chinese remainder theorem. 
A message is encoded as an integer a < m and then enciphered as 
f (a) (mod a) » The receiver deciphers this cipher '"i>y calculating 
tRe inverse fj,(x) of f (x) food m) . The receiver has to find a k 
satisfying (5.3) (mod p+1) and (mod q+1) , ox ©qu'ivalently 

(5,4) nfc 51(mod [p+l,q+l]> / 

Again, without knowing the factors of m it is impracticable to 
find a k satisfying (5.4) and with it the inverse of f 0 (x>* 
In [13] it is shown that there are infinitely many primes p and q 
with (p+l,n) = (q+l,n) = 1 and (2) = (|) = -1, n odd and a a 
nonsquare, except in the case when the 1 square free kernel of a 
equals -3 and at the same time 3 In. 
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Abstract 

We describe protocols for three or more parcies to jointly generate a composite N = pqr which is 
the product of three primes. After our protocols terminate N is publicly known, but neither party 
knows the factorization of N. Our protocols require the design of a new type of distributed primality 
test for testing that a given number is a product of three primes. We explain the cryptographic 
motivation and origin of this problem. 

*l 1 Introduction 

% In this paper, we describe how three (or more) parties can jointly generate an integer N which is the 
g product of three prime number N = pqr. At the end of our protocol the product A** is publicly known, 
j^but neither party knows the factorization of N. Our main contribution is a new type of probabilistic 
primality test that enables the three parties to jointly test that an integer N is the product of three 
^primes without revealing the factorization of N. Our primality test simultaneously uses two groups: 
ipthe group Z* v and the projective line over Zy. 

v\l The main motivation for this problem comes from cryptography, specifically the sharing of an 
WRSA key. Consider classical RSA: N = pq is a public modulus, e is a public exponent and d is secret 
Mvhere de = 1 mod <p{N). At a high level a digital signature of a message M is obtained by computing 
l *™M d mod N. In some cases the secret key d is highly sensitive (e.g. the secret key of o Certiriuation 
Authority) and it is desirable to avoid storing it at a single location. Splitting the key d into a number 
of pieces and storing each piece at a different location avoids this single point of failure. One approach 
(due to Frenkcl [8]) ; s to pick three random numbers satisfying d = d\ -h do H- mod <p(N) and store 
each of the shares d\,d2,d% at one of three different sites. To generate a signature of a message M 
site % computes S{ = M d * mod N for i = 1.2. 3 and sends the result to a combiner. The combiner 
multiplies the S, and obtains the signature S = SiSoSt = M d mod N. If one or two of the sites are 
broken into, no information about the private key is revealed. An important property of this scheme 
is that it produces standard RSA signatures - the user receiving the signature is totally unaware of 
the extra precautions taken in protecting the private key. Note that during signature generation the 
secret key is never reconstructed at a single location. 

To provide fault tolerance one slightly modifies the above technique to enable any two of the three 
sites to generate a signature. This way if one of the sites is temporarily unavailable the Certification 



1 



Authority can still generate signatures using the remaining two sites. If the key was only distributed 
among two sites the system would be highly vulnerable to faults. 

We point out that classic techniques of secret sharing [15] are inadequate in this scenario. Secret 
sharing requires one to reconstruct the secret at a single location before it can be used, hence intro- 
ducing a single point of failure. The technique described above of sharing the secret key such that it 
can be used without reconstruction at a single location is known as Threshold Cryptography. See [10] 
for a succinct survey of these ideas and nontrivial problems associated with them. 

An important question left out of the above discussion is key generation. Who generates the RSA 
modulus N and the shares d L , ^2,^3? Previously the answer was a trusted dealer would generate N and 
distribute the shares d\, d<i, d% to the three sites. Clearly this solution is undesirable since it introduces 
a new single point of failure - the trusted dealer. It knows the factorization of N and the secret key d. 
If it is compromised the secret key is revealed. Recently Boneh and Franklin [2] designed a protocol 
that enables three (or more) parties to jointly generate an RSA modulus N = pq and shares d\ i d2,ds 
of a private key. At the end of the protocol the parties are assured that N is indeed the product of 
two large primes however non of them know its factorization. In addition each party learns exactly 
one of di, c/2, d% and has no computational information about the other shares. Thus, there is no need 
for a trusted dealer. We note that Cocks [6] introduced a heuristic protocol enabling two parties to 
generate a shared RSA key. 

In this paper we design an efficient protocol enabling three (or more) parties to generate a modulus 
N = pqr such that neither party knows the factorisation of N. Once N is generated the same 
techniques used in [2] can be used to generate shares d\,d2,d$ of a private exponent. For this reason 
throughout the paper we focus on the generation of the modulus N = pqr and ignore the generation of 
the private key. The methods of [2] do not generalize to generate a modulus with three prime factors 
and new techniques had to be developed for this purpose. 

We remark that techniques of secure circuit evaluation [1, 5, 17] can also be used to solve this 
problem. However, these protocols are mostly theoretical resulting in extremely inefficient algorithms. 

2 Motivation 

The problem discussed in the paper is a natural one and thus our solution is of independent inter- 
est. Nonetheless, the problem is well motivated by a method for improving the emciency of shared 
generation of RSA keys, To understand this we must briefly recall the method used by Boneh and 
Franklin [2]. We refer to the three parties involved as Alice. Bob and Carol. At a high level to generate 
a modulus N = pq the protocol works as follows: 

Step 1 Alice picks two random n bit integers p a ,(iai 3ob picks two random n bit integers Pb,qb and 
Carol picks two random n bit integers p c , q c . They keep these values secret. 

Step 2 Using a private distributed computation they compute the value 

-V = {p a + Pb + Pc){g a + Qb + Qc) 

At the end of the computation N is publicly available however no other information about the 
private shares is revealed. This last statement is provable in an information theoretic sense. 

Step 3 The three parties perform a distributed primality test to test that N is the product of exactly 
two primes. As before, this step provably reveals no information about the private shares. 



Step (3), the distributed primality test, is a new type of probabilistic primality test which is one of 
the main contributions of [2]. Step (2) is achieved using an efficient variation of the BGW [1] protocol. 

A drawback of the above approach is that both factors of N are simultaneously tested for primality. 
Hence, the expected number of times step (3) is executed is 0(n 2 ). This is much worse than single 
user generation of N where the two primes are first generated separately by testing 0(n) candidates 
and then multiplied together. When generating a 1024 bit modulus this results in significant slowdown 
when compared with single user generation. 

To combat this quadratic slowdown one may try the following alternate approach. 

Step 1 Alice picks a random n bit prime p and a random //, bit integer r a . Bob picks a random n bit 
prime q and a random n bit integer r h . Carol picks a random n bit integer r c . They keep these 
values secret. 

Step 2 Using a private distributed computation they compute the value 

N = pq(r a -h r b + r c ) 

At the end of the computation N is publicly available however no other information about the 
private shares is revealed. 

i Step 3 The three parties use the results of this paper to test that N is the product of exactly three 
primes. This step provably reveals no information about the private shares. 

At the end of the protocol neither party knows the full factorization of N. In addition, this approach 
I does not suffer from the quadratic slowdown observed in the previous method. Consequently, it is 
I faster by roughly a factor of 50 (after taking effects of trial division into account). As before, step (2) 
a is carried out by an efficient variant of the BGW protocol. 

Instead of solving the specific problem of testing that N — pq(r a + r^ 4- r c ) : s a product of three 
. primes we solve the more general problem of testing that 

= (p a 4- pb + p c )(q a + q b -r q t )(r a -f r b I- r r ) 

,f is a product of three primes without revealing any information about the private shares. This primality 
jffcest is the main topic of this paper. 

For the sake of completeness we point out that in standard single party cryptography there are 
several advantages to using an RSA modulus N = pqr rather than the usvai A r = pq (the size of 
the modulus is the same in both cases). First, signature generation is much faster using the Chinese 
Remainder Theorem (CRT). When computing M d mod N one only computes ^/ i ' m ° u P- 1 mod p for 
all three factors. Since the numbers (and exponents) are smaller signature generation is about twice 
as fast as using CRT with N — pq. Another advantage is that an attack on RSA due to Wiener [16] 
becomes less effective when using N = pqr. Wiener showed that for N = pq if d < N 1 ^ one can 
recover the secret key d from the public key. When N = pqr the attacK is reduced to d < jV 1 / 6 and 
hence it may be possible to use smaller values of d as the secret key. Finally, we noce that the fastest 
factoring methods [13] cannot take advantage of the fact that the factors of N = pqr are smaller than 
those of a standard RSA modulus N = pq. 
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3 Preliminaries 



In this section, we explain the initial setup for our new probabilistic primality test and how it is 
obtained. We then explain a basic protocol which we use in the later parts of the paper. At first reading 
the reader may wish to skip to Section 4 and take on faith that the necessary setup is attainable. 

3.1 Communication and privacy model 

The communication and privacy model assumed by our protocol are as follows: 

Full connectivity Any party can communication with any other party. This is a typical setup on a 
local network or the Internet. 

Private and authenticated channels Messages sent from party A to party B are private and can- 
not be tampered with en route. This simply states that .4 and B share a secret key which they 
can use for encryption and authentications. 

Honest parties We assume all parties are honestly following the protocol. This is indeed the case 
when they are truly trying to create a shared key. This assumption is used by both [2] and [6]. 
We note that some recent work [9] makes the protocol of [2] robust against cheating adversaries 
at the cost of some slowdown in performance (roughly a factor of 100). These robustness results 
apply to the protocols described in this paper as well. 

Collusion Our protocol is 1-private. That is to say that a single party learns no information about 
the factorization of N = pqr. However, if two of the three parties collude they can recover 
the factors. For three parties this is fine since our goal is to enable two-out-of-three signature 
generation. Hence, two parties are always jointly able to recover the secret key. More generally, 
when k parties participate in our primality test protocol one can achieve privacy. That 

is. any minority of parties learns no information about the factors of N. 

3.2 Generations of N 

In the previous* section we explained that Alice. Bob and Carol generate N as 

N = (p a + p b + p c )(q a + qb + q r )(r a + r b 4- r r ) 

where party i knows p l ,q t ,r l for i = a.b.c and keeps these shares secret while making N publicly 
available. To compute N without revealing any other information about the private shares we use 
the BGW protocol [1], For the particular function above the protocol is quite efficient requiring three 
rounds of communication and a total of 6 messages. The protocol is information theoretically secure, 
i.e. other than the value of N party z has no information about the shares held by other parties. This 
is to say the protocol is 1— private. 

We do not gw into the details of how the BGW protocol is used to compute N since it is tangential 
to the topic of this paper — testing that N is a product of three distinct primes. For our purpose it 
suffices to assume N is public while the private shares are kept secret. 

An important point is that our primality test can only be applied when p a +p b -fp c = q a +q b + q c = 
r a H- n -fr f = 3 mod 4. Hence, the parties must coordinate the two lower bits of their shares ahead of 
time so that the sums are indeed 3 modulo 4. Indeed, this means that a priori each party knows the 
two least significant bits of the others shares. 
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3.3 Sharing of (p - l){q - l)(r - 1) and (p + + l)(r + 1) 



Let p = p a + Pa + Pc» ? = ?a + ?6 + 9c^dr = r a 4- r fr 4- r c . We define <p = (p - 1)($ - i)( r - 1). 
Since p,q,r are not necessarily prime tp may not equal <p{N). Our protocol requires that the value (p 
be shared additively among the three parties. That is. p = *p a 4- <Pb + <Pc where only party 2 knows <p,- 
for 2 = a, 6, c. 

An additive sharing of <p is achieved by observing that (p = /V — pg — pr — qr 4- p 4- 4- r — 1. To 
share 0 it suffices to represent pq 4- pr -f- r/r using an additive sharing A -\- B + C among the three 
parties. The additive sharing of tp is then 

<fa = iV - A + p a 4- q a 4- r a - 1 ; ^ = -5 4- p& 4- % 4- r 6 ; p c = ~C 4- p c + g c 4- r c 

The conversion of p<? 4- pr 4- <?r into an additive sharing A + B + C is carried out using a simple variant 
of the BGW protocol used in the computation of N. The BGW protocol can be used to compute 
the value pq] however, instead of making the final result public the BGW variant shares the result 
additively among the three parties. The details of this variant can be found in [2, Section 6.2]. 

As before, we do not give the full details of the protocol for converting pq + pr 4-qr into an additive 
sharing. Since we wish to focus on the primaJity test it suffices to assume that an additive sharing of 
tp is available in the form of ip a 4- <Pb 4- 

^ In addition to a sharing of tp we also require an additive sharing of ip = (p -h l){q 4- l)(r 4- 1). Once 
I an additive sharing of pq 4- pr 4- qr is available it is trivial to generate an additive sharing of Simply 
\ set 

if> a = -f A 4- p a 4- q a 4- r a 4- 1 : V'& = B 4- ^ 4- <?& + H> ; = + p c 4- q c 4- r c 

5 3.4 Comparison protocol 

'Our primality test makes use of what we ca'I a comparison protocol. Let A be a value known to Alice. 
B a value known to Bob and C a value known to Carol. We may assume A.B. C E Z* v . The protocol 
t enables the three parties to test that ABC - I mod N without revealing any other information about 
;;the product ABC. We give the full details of the protocol in this section. 

: 1 Let P > A r be seme prime known to all parties. The protocol proceeds as follows: 

^Step 1. Carol picks a random element C\ 6 Z* Y and sets C) — CCf 1 mod N. Clearly C - C\C'2 mod 
N , Carol then sends Ci to Alice and C* to Bob. 

Step 2. Alice sets A' = AC\ and Bob sets B f = (BCo) _L mod N. Both values A* and B f can be 
viewed as integers in the range [0. N). The problem is now reduced to testing whether A 1 — B f 
(as integers) without revealing any other information about A and B. 

Step 3. Alice picks a random c € Zp and d € Zp. She sends c, d to Bob. Alice then computes 
h(A f ) = ( A' 4 d mod P and sends the result to Carol. Bob computes h(B f ) = ci?' — d mod P 
and sends the result to Carol. 

Step 4. Carol tests if h(A') = h(B f ) mod P. If so. she announces that ABC = 1 mod N. Otherwise 
she announces ABC ^ I mod A r . 

The correctness and privacy of the protocol are stated in the next two lemmas. Correctness is 
elementary and is stated without proof. 
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Lemma 3.1 Let A.B.C £ Z\. At the end of the protocol the parties correctly determine if ABC — 
1 mod N or ABC £ 1 mod N. 

Lemma 3.2 The protocol is I— private. That is, other than the result of the test each party learns no 
other information. 

Proof To prove the protocol is 1— private we provide a simulation argument for each party's view of 
the protocol. Alice's view of the protocol is made up of the values A, C\, c, h(A f ) and the final result 
of the test. These values can be easily simulated by picking G\ at random in Z* N , picking c at random 
in Zp and d at random in Zp. This is a perfect simulation of Alice's view. A simulation argument for 
Bob is essentially the same, 

Simulating Carol's view is more interesting. Carol's view consists of C^C\^C2^h{A t ) t> h{B t ) and 
the result of the test. The point is that h{A*) and h(B') reveal no information about A and B since 
they are either equal, or random independent elements of Zp. Which of the two is determined by the 
result of the test. The independence follows since the family of hash functions h{x) = cx 4- d mod P 
is a universal family of hash functions (i.e. not knowing c,d the values h(x),h(y) are independent for 
any x.y £ Zp). 

To simulate Carol's view the simulator picks Ci.Co G Z* v at random so lhat C = CiCo mod N. 
Then depending on the results of the test it either picks the same random element of Zp twice or 
picks two random independent elements of Zp. This is a perfect simulation of Carol's view. This 
proves Carol gains no extra information from the protocol since given the outcome of the test, she can 
generate the values sent by Alice and Bob herself □ 



4 The probabilistic primality test 

We now describe the main primality test. As discussed in the previous section our primality test 
applies once the following setup is achieved: 

Shares Each party i has three secret n-bit values pj.^.r, for i = a, b c. 

The modulus N = (p a -h p b 4- p c )(qa rg& + q c ){r a -r r h -f- r r ) is public. We set p = p a p b ^ p c , q = 
q a +qb+ ( lc and r = r a -Hv,+r c . Throughout the section we are assuming thatp — q — r = 3 mod 4. 
Thus, the parties must a priori coordinate the two least significant bits of their shares so that 
this condition holds. 

Sharing fi.-tp: The parties share (p - l){q - l)(r - 1) as <p a 4- <fb + <Pc and (p + l)(q + l)(r -f 1) as 
'4>a 4 V'ft " i'c 

Given this setup they wish to test that p, q and r are distinct primes without revealing p. q. r. At this 
point nothing is known about p, q, r other than p = q — r = 3 mod 4. Throughout the section we use 
the following notation: 

tp-= ip a + <p b + if c = (p ~ l){q - l)(r - 1) 
lb = Wa + ^6 + = (p + 11(9 + + 1) 

Clearly if iV is a product of three distinct primes then (p(N) = </?. Otherwise, this equality may not 
hold. 
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Our primality test is made up of four steps. We first state what each step tests for and in the 
subsequent subsections explain how each step is carried out without revealing any information about 
the factors of N. 

Step 1 The parties pick a random g 6 Z* v and jointly test that g-P*+Vb+Vc _ i moc j jy^ ^ t ^ Q tegt 
fails N is rejected. This step reveals no information other than the outcome of the test. We 
refer to this step as a Fermat test in Z* v . 

Step 2 The parties perform a Fermat test in the twisted group Ty = (Z iV [x]/(x 2 ^l))7Z* v . Elements 
of this group can be viewed as points on the projective line over Zy. If N is the product of three 
distinct primes then the order of Ty is (p+ l)(q + l)(r-r 1). Indeed. x 2 -f-l is irreducible modulo 
N since p = q = r = 3 mod 4. To carry out the Fermat test in Ty the parties pick a random 
g € T\ and jointly test that f^+^+vv = 1. If the test fails N is rejected. This step reveals no 
information other than the outcome of the test. 

Step 3 The parties jointly test that N is the product of at most three prime powers. The implemen- 
tation of this step is explained in the next subsection. If the test fails N is rejected. 

Step 4 The parties jointly test that v 

gcd(iV, p + q + r) = L 

This step reveals no information other than the outcome of the test. The implementation of this 
step is explained in the subsection 4.3. If the test fails N is rejected. Otherwise N is accepted 
as the product of three primes. 

The following fact about the twisted group Ty = (Zy(xj/(:r 2 + 1))*/Z*r is helpful in the proof of 
I the primality test. 

""Fact 4.1 Lei N be an integer and k 2 \N with k prime. Then k divides both (f(N) and |Ty|. 

% Proof Let a > 2 be the number of times k divides iV. i.e. .V — k a w where gcdik.w) — 1. Then 
ip{N) = k 0 ' 1 (A; - l)<p{w) and hence k divides (p{N). 

- To see that A: divides |Ty| note that Ty = x T w . When k = 3 mod 4 we know that x 2 -h 1 ^ 
^irreducible in and hence |T^> | = k a ~ [ (k -t- 11. It follows that A: divides |T,v|. When k — 1 mod 4 
; ; we have jT^. = k a ~ [ [k - I) and therefore again A; divides |Tyl. □ 

\ We can now prove that the above four steps are indeed a probabilistic test for proving that N is 
a product of three primes. 

Theorem 4.2 Let N = pqr = (p a -rPb + Pc)[<Ia + <7& +//c)(r ft -r r b + r c ) where p = q~r = 3 mod 4 and 
gcdfiV. p-t- </ + r) = 1. If N is a product of three primes tt is always accepted. Otherwise, N is rejected 
■with probability at least half. The probability is over the random choices made in steps 1-4 ubove. 

Proof Suppose p.q and r are distinct primes. Then steps (1),(2) and (3) clearly succeed. Step (4) 
succeeds by assumption on N. Hence, in this case N always passes the test as required. 

Suppose /V is not the product of three distinct primes. Assume for a contradiction that /V passes 
all four steps with probability greater than 1/2. Since N passes step (3) with probability greater than 
1/2 we know that N = z^z^z^ for three primes z\„Z2*z^ (not necessarily distinct). Since N passes 
step (4) we know gcd(A r ,p + q + r) — 1. Define the following two groups: 

G = {geZ}f s.t. gr^^c = !} 
H = jjGlv s.t. ^+«™ = i} 



Clearly G is a subgroup of Z* v and H is a subgroup of the twisted group Tjv. We show that at least 
one of G or H is a proper subgroup which will prove that either steps (1) or (2) fails with probability 
at least 1/2. There are two cases to consider. 

Case 1: p, q. and r are not pairwise relatively prime. By symmetry we may assume, without loss of 
generality, that gcd(p, q) > 1. Let k be a prime factor of gcd(p, q). Recall that N is odd so k > 2 
(since k divides iV). 

Since N = pqr we know that k 2 \N. Hence, by Fact 4.1, k\<p(N) and Ar||l\v|. We claim that 
either k doesn ? t divide <p or k doesn't divide ifi. To see this observe that if k\<p and k\tp, then k 
divides w - <p = p(2<? 4- 2r) + ?(2r) 4- 2. Since A; divides both p and q we conclude that k\2, which 
contradicts k > 2. 

First we examine when A* doesn't divide (p. Since A: is a prime factor of tp(N) there exists an 
element g € Z* v of order A;. However, since k does not divide <p we know that g$ ^ 1. Hence, 
g £ G proving that G is a proper subgroup of Z* v * if k doesn't divide ip a similar argument 
proves that if is a proper subgroup of the twisted group Ty. 

Case 2: p, g, and r are pairwise relatively prime. We can write p — zf ,q = z% and r = with 
z\,Z2,zi distinct primes. By assumption we know that one of 7 is greater than 1. Without 
loss of generality we may assume a > L 

We first observe that none of the z x can divide gcd(( j 5, , 0). Indeed, if if this were not the case 
then z t {ip 4- 'ip = 2(jV -i-p + q + r). But then, since z l divides AT it must also divide p 4- £ 4- r 
contradicting the fact that gcd(A/\p 4- q 4- r) = 1 as tested in step (4). 

We now know that z\ does not divide (p or it does not divide ip. However, since z\ divides N we 
obtain, by Fact 4.1, that zi\tp(N) and zi||T,vj- We can now proceed as in case (1) to prove that 
either G is a proper subgroup of or H is a proper subgroup of Tn- □ 

Clearly most integers N that are not a product of three primes will already fail step (1) of the 
test. Hence, steps (2-4) are most bksly executed only once a good candidate AT is found. 

The condition gcd(Af,p 4- q 4- r) = 1 is necessary. Without it the theorem is false as can be seen 
from the following simple example: p ™ pf ,q ap\ -hi . r — bp\ — i where pi*q,r are three odd 
primes with p ~ q — r ~ 3 mod 4. In this case N = pqr will always pass steps 1-3 even though it is 
not a product: of three distinct primes. 

4.1 Step 3: Testing that A r - p a q^ 

Our protocol for testing that N is a product of three prime powers borrows from a result of van de 
Graaf and Peralta [12]. Our protocol works as follows: 

Step 0 By definition of <p we know it is divisible by 8. However, the individual shares <p a . <p c which 
sum to J> may not be. To correct this Alice generates two random numbers a\. a? € Z% such that 
a\ -r a-2 = ¥a m °d 8. She sends a\ to Bob and ao to Carol. Alice sets tp a <~ <p a - ci\ — «2> Bob 
sets (ft, <r- ip b 4- a\ and Carol set <p c f- <p c 4- ao. Observe that at this point 
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Step 1 The parties first agree on eight random numbers gi,...,g s 'm Z* w , all with Jacobi symbol +1. 
Step 2 For i.j = 1. . . . , 8 we say that i is equivalent to j if 

j/j =1 (modiV) 

Since all three parties know 9i and g } they can test if i is equivalent to j as follows: 

1. Alice computes A = (gi/gj) Va/8 mod N. 
Bob computes B = (g l /g j )^ b/8 i mod N and 
Carol computes C = {gi/g 3 )^ c/ ^ mod iV. 

2. Using the comparison protocol of section 3.4 they then test if ABC = 1 mod N. The 
comparison protocol reveals no information other than whether ABC = 1 mod N or not. 

Step 3 If the number of equivalence classes is greater than four N is rejected. Otherwise N is 
accepted. 

Testing that the number of equivalences classes is at most four requires at most 22 invocations 
pof the comparison protocol in the worst case. The reason for restricting attention to elements g, of 
J Jacobi symbol +1 is efficiency. Without chis restriction the number of equivalence classes to check for 
p_is eight. Thus, many more applications of the comparison protocol are necessary. 

The following lemma shows that when N is a product of three distinct primes it is always accepted. 
4= When N has more than three prime factors it is rejected with probability at least 1/2. If TV is a product 
jof three prime powers it may always be accepted by this protocol. We use the following notation: 

f J = {gez\ r ,t. (£)= + i> 

! B! = Q = {g € J s.t. g is a quadratic residue in ZI-} 

a]The index of O in J is 2^ Ar '" 1 or 2 d(N ) where d(N) is the number of distinct prime factors of N. 
gLemma 4.3 Let N = pgr be an integer wdh p = q = r = .i mod 1. Ifp.q.r are distinct primes then 
j= ; iiV is always accepted. If the number of distinct prime factors of N is greater than three then N ;s 
Rejected with, probability at least. ~. 

Proof If N is the product of three distinct primes then the index of Q in J is four. Two elements 
51,52 G Z*v belong to the same coset of Q in J if and only if gi /g 2 is a quadratic residue, i.e. if and 
only if (gi/g 2 )^ N) l & = 1 mod N. Since in this case tp{N) = 0 = <p z + <p b + <p c step (2) tests if g t and 
g 3 are in the same coset of Q. Since the number of cosets is four there are exactly four equivalence 
classes and thus N is always accepted. 

If N contains at least four distinct prime factors we show that it is rejected with probability ac 
least 1/2. Define 

Q = {<? G J s.t. (?^' 8 = 1 (mod iV)} 

Since in chis case <p may not equal <p(N) the group Q is not the same as the group Q. 

We show that the index of Q in J is at least eight. Since p = q = r --= 3 mod 4 we know that <p/8 
is odd (since <? = (p - l)(q - l)( r - 1) ). UgeJ satisfies g x = 1 for some odd x then g must be a 
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quadratic residue (it's root is gl x+l V 2 ). Hence. Q C Q and hence is a subgroup of Q. Since the index 
of Q in ,/ is at least eight it follows that the index of Q in ./ is at least eight. 

It remains to show that when the index of Q in .7 is at least eight then ;V is rejected with probability 
at least 1/2. In step (2) two elements g l ,g 2 e J are equivalent if they belong to the same coset of (J 
in J. Let R be the event that all 8 elements g t G J chosen randomly in step (1) fall into only four of 
the eight cosets. Then 

p rM <( 4 8 ).(i 8 )=o. 27 <! 

N is accepted only when the event R occurs. Since it occurs with probability less than 1/2 the number 
N is rejected with probability at least 1/2 as required. □ 

Next we prove that the protocol leaks no information when N is indeed the product of three 
distinct primes. In case N is not of this form the protocol may leak some information; however in 
this case N is discarded and is of no interest. To prove that the protocol leaks no information we 
rely on a classic cryptographic assumption [4] called Quadratic Residue Indistinguishability or QRI for 
short. This cryptographic assumption states that when N = pq with p = q = 3 mod 4 no polynomial 
time algorithm can distinguish between the groups .7 and Q defined above. In other words, for any 
polynomial time algorithm A and any constant c > 0 



Pr [A(g) = "yes"] - PrU^) = "yes" 

g€J g£Q 



1 

< 



(log'V)' 

Tbe following lemma relies on QRI when N is the product of three primes. 
j; ; Lemma 4.4 If N is a product of three distinct primes then the protocol is 1-prtvate assuming QRI. 

Proof Sketch To prove that each party learns no information other than the face that N is a prod- 
^ uct of three prime powers we provide a simulation argument. We show that each party can simulate 
^ its view of the protocol. Hence, whatever values it receives from its peers, it could have generated 
^ iuself. By symmetry we may only consider Alice. Alice's view of the protocol consists of theebmeuts 
■ ■ • 'As <uid bit values b U3 indicating whether (gjg^ = 1. (we already gave a simulation algorithm 
for the companion protocol in Section 3.4). Thus. Alice learns whother q x jg 3 is a quadratic :-jsidu« or 
2; not. We argue that under QRI this provides no computational information since it can be simulated. 
SijTo simulate Alice's view the simulation algorithm works as follows: it picks eight random elements 
"\.yi, , . . . r; s e ./ It then randomly associates with each g t a value in the set {0.1.2.3}. This value 
represents the coset of Q that 9i is in. The simulator then says that gjg 3 is a quadratic residue if 
and only if the value associates with g % is equal to that associated with g jm Under QRI Hie result- 
ing distribution on g u . . . , g 8 , 6 1<1: . . . , 6 H .s is computationally indistinguishable from Alice's true view 
of the protocol. We note that the value a { 6 [0.8] Alice sends Bob in Step (0) is a uniform random 
element of Z*. Hence, it is trivially simulatable by Bob. Similarly a 2 E [0, 8] is simulatable by Carol. □ 

4.2 Implementing a Fermat test with no information leakage 

We briefly show how to implement a Fermat test m Z* v without leaking any extra information about 
the private shares. The exact same method works in the twisted gioup T ;V as well. 
To check that g e Z% satisfies ^*+^+'-c = L mod N we perform the f ollowing sceps: 
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Step 1 Each party computes R{ ~ g* mod N for i = a.b : c. 

Step 2 They test that R a R b R c = 1 mod A r be revealing the values i?i,i?2 7 ^3* Accept N if the test 
succeeds. Otherwise reject. 

Clearly the protocol succeeds if and only if g'^ = 1 mod AT. We show that it leaks no other 
information. 

Lemma 4.5 If N = pgr is the product of three distinct primes then the protocol is 2— private. 

Proof We show that any two parties learn no information about the private share of the third other 
than = 1 mod N. By symmetry we restrict attention to Alice and Bob. Since by assumption N 
is the product of three primes we know that = 1 mod N. Hence. g? a +vi> = g~'? c . To simulate the 
value received from Carol the simulation algorithm simply computes £~^ c . Indeed, this is a perfect 
simulation of Alice and Bob's view. Thus, they learn nothing from Carol's message since they could 
have generated it themselves. □ 



4.3 Step 4: Testing that gcd[N.p + q + r) = 1 in zero knowledge 

Our protocol for this step is based on a piotocol similar to the one used in the computation of N. We 
proceed as follows: 

;T| Step 1 Alice picks a random y a E Z,v- Bob picks a random yb E Carol picks a random y c E Z,y. 
p Step 2 Using the BGW protocol as in Section 3.2 they compute 

[]■ , R - (Pa + q a + Pb + Qb + Pc + <lc){Va -r tjb + Vc) Hiod A^ 

At the end of the protocol R is publicly known, however no other information about the private 
= : shares is revealed. 

I* 5 , Step 3 Now that R is public the parties test that gcdfi?. N) — 1. If not. Af is rejected. Otherwise :V 
is accepted. 

^ Lemma 4.6 // ;V = pgr is f/ie product of three distinct n-hit primes vnth gcd(A r .p + g t r) = 1 £Aen 
S *'^V 7,v accepted with probability 1 - £ /or 6 < l/2 n . Otherwise. N is always rejected. 

Proof Clearly if gcdf iV.p -j- <? -f r) > 1 then gcd(i?. A r ) > I and therefore N is always rejected. If 
gcdfiV. p-h^ + r) = 1 then AT is rejected only if gcd(AT. y a 4- ■///_, -f- j/ c ) > 1. Since y a -f i/& -f iy c is a random 
element of Z,v this happens with probability less than (l/2) a . □ 

Lemma 4.7 // N = pgr x.s iAe product of three distinct n~hit primes with gcd(Af. p -f r/ -j- r) = 1 £/;en 
protocol t,s [ — private. 

Proof Since the BGW protocol is 1 -private the above protocol can be at most 1— private. We show 
how to simulate Alice's view. Alice's view consists of her private shares p a ,q a ,y a and the number R. 
Since R is independent of her private shares the simulator can simulate Alice's view by simply picking 
R in Z,v at random. This is a perfect simulation. □ 
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5 Extensions 



One can naturally extend our protocols in two ways. First, one may allow more than three parties to 
generate a product of three primes with an unknown factorization. Second, one may wish to design 
primality tests for testing that N is a product of k primes for some small k. We briefly discuss both 
extensions below. 

Our protocols easily generalize to allow any number of parties. When k parties are involved the 
protocols can be made private. This is optimal in the information theoretic sense and follows 

from the privacy properties of the BCW protocol. The only complexities in this extension are the 
comparison protocol of Section 3.4 and Step (0) of Section 4.1. Both protocols generalize to k parties 
however they require a linear (in k) number of rounds of communication. 

Securely testing that N is a product of k primes for some fixed k > 3 seems to be harder. Our 
results apply when k = 4 (indeed Theorem 4.2 remains true in this case). For k > 4 more complex 
algorithms are necessary. This extension may not be of significant interest since it is not well motivated 
and requires complex protocols. 

Another natural question is whether only two parties can generate a product of three primes with 
an unknown factorization. The answer appears to be yes although the protocols cannot be information 
theoretically secure. Essentially one needs to replace the BOW protocol for computing N with a two- 
-party private multiplication protocol. This appears to be possible using results of <6. 3]. 

:6 
'■: 

;|6 Conclusions and open problems 

! -=Our main contribution is the design of a probabilistic primality test that enables three (or more) 
parties to generate a number A r with an unknown factorization and test that N is the product of three 

'distinct primes. The correctness of our primality test relies on the fact that we simultaneously work in 
two different subgroups of Z,v[x]/(z 2 4- 1)*. namely Z* v and the projective line over Z,y Our protocol 

^generalizes to an arbitrary number of parties k and achieves [^p-J privacy - the best possible in an 

^information theoretic setting. 

;i Recall that our primality tost can be applied to A r = pqr whenever p ~ q = r ~ 3 mod 4. We 
inote that simple modifications enable one to apply the test when p — q = r = 1 mod 4 'essentially 
lit his is done by reversing the roles of Z* v and the twisted group). However, it seems that one of these 
restrictions is necessary. We do not know how to carry out the test without the assumption that 
p = q = r mod 4. The assumption plays a crucial role in the proof of Lemma 4.3. 

A natural question is whether more advanced primality testing techniques can be used to improve 
the efficiency of our test. For instance, recent elegant techniques due to Grantham [ill may be 
applicable in our scenario as well. 
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Here y is an unknown integer vector. The matrices K and L 
and the vector S are known. The inequality 0 < < 1 

is used to find integer solutions for y, which are inserted in 
the last equation, yielding x which are tested as hypothetical 
solutions to the knapsack problem. 



A FAST GENERATOR OF LARGE PRIME NUMBERS, J.J. Quisquater and 
C. Couvreur (Philips Research Laboratory, Av. van Beceleare 2, 
Box. 8 B-1170 Brussels, Belgium) . An analysis of the Rivest-Shamir- 
Adleman public-key cryptosystem has shown that its security 
is based on the difficulty of factoring numbers r which are 
the product of two laxge primes p and q. Some constraints must 
be nut on p and q to create secure keys. The process of devi- 
sing suitable values for p and q requires first a method for 
finding large random primes (each about 10 bU if p and q must 

be about 10 100 ) . 

•\ fast algorithm for generating such primes is presented. This 
algorithm is distinguishable from the probabilistic algorithms 
in that the so generated numbers are certified to be prime for 
a lower time complexity. Recently, Adleman, Rumely, Pomerance 
and Lenstra described an algorithm for distinguishing prime 
numbers from composite numbers. On the other hand, Williams and 
Schmid, Crandall and Penk, and chiefly Plaisted proposed a me- 
thod for generating prime numbers. These have been adapted for 
our purposes. 

*n experimental version of our generator has been implemented 
on a VAX 11-780. The following table gives some results on the 
.feneration of random prime numbers of given length. The LMLq 
lUmv.* have been found using Rabin's algorithm, each prime being 
tested with 20 random numbers. The MLiUbiid ptu.me.6 are gene- 
rated by our algorithm. Let us remark that the comparisons are 
made with the same sets numbers to be tested and the same par- 
tial sieving. 



length number 
(decimal representation) 


certified 
prime 


likely 
prime 


50 


5 sec. 


20 sec. 


67 


11 sec. 


SO sec. 


US 


60 sec. 


250 sec. 


200 


400 sec. 


1800 sec. 



ON THE DESIGN AND ANALYSIS OF NEW CIPHER SYSTEMS RELATED TO THE 
DES, I. Schaumtiller-Bichl (Institute of Systems Science, 
Johannes Kepler Universitat Linz, A-4040 Linz, Austria)! One 
essential, but up to now almost neglected item of the DES is its 
basic encryption scheme. It warrants - independently of the 
heavily discussed specific choices of the S-boxes, permuta- 
tions,... - that for every encipher function there exists an 
easy to find decipher function and furthermore, that the algo- 
rithm is secure against "backward computation". 

Following this idea in the first part of the paper a new cipher 
system, called CSO, is presented which is based on the DES 
encryption scheme. The components of the key are selected from 
the set of the residue classes modulo m, whereas m depends on 
the variable block length. The cipher function f is based on 
computing the scalar product of the key and parts of the plain- 
text. C80 provides any required level of security against brute 
force attacks and also promises to resist a short cut attack 
even better than the DES does. 

The "Generalized DES scheme" (GDES scheme) presented in the 
second chapter is an attempt to generalize the DES encryption 
scheme in a way that permits multiple encryption speed without 
risking security. 



CRITICAL ANALYSIS OF THE SECURITY OF KNAPSACK PUBLIC KEY ALGO- 
RITHMS, Y. Desmedt, J. Vandewalle and R. Govaerts (Katholieke 
Universiteit Leuven, Department Electrotechniek, Afdeling 
E.S.T.A., Kardinaal Mercierlaan 94, B-3030 Heverlei , Belgium). 
The authors claim that the security of the Merkle-Hellman 
algorithm is greatly exaggerated- They show that for their en- 
ciphering keys there exist infinitely many superincreasing 
keys which can decipher all messages. For example, applying the 
transformation x 46 mod 77 to the enciphering key (5457, 1663, 
216,^6015, 7459) of Merkle and Hellman, one obtains the sequence - 
(2, 57, 5, 14, 6), which is superincreasing after reordering. 

Moreover, an iterative transformation x w mod m in the construc- 
tion of the enciphering key may not increase the security. For 
example (25, 87, 33) is an enciphering key which is obtained 
after 2 transformations from (5, 10, 20) and hence considered 
to be safer by Merkle and Hellman. This enciphering key is 
however totally insecure because it is already superincreasing 
after reordering. 

The effect of such transformations can be reformulated as a x w- 
s x m for some s. This shows that several intervals of w/m 
lead to useful transformations. Moreover one key can decipher 
all messages if m is larger than the sum of all numbers in the 
deciphering keys, allowing us to generalize and improve the 
cracking idea and easy deciphering key of Herlestani and Shamir 
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Informally speaking, if A =p B then A and B are cither both tractable or both in- 
tractable, as the case may be. 



Chapter outline 

The remainder of the chapter is organized as follows. Algorithms for the integer factoriza- 
tion problem are studied in §3.2. Two problems related to factoring, the RSA problem and 
the quadratic residuosity problem, are briefly considered in §3.3 and §3.4. Efficient algo- 
rithms for computing square roots in Z p , p a prime, are presented in §3.5, and the equiva- 
lence of the problems of finding square roots modulo a composite integer n and factoring 
n is established. Algorithms for the discrete logarithm problem are studied in §3.6, and 
the related Diffie-Hellman problem is briefly considered in §3.7. The relation between the 
problems of factoring a composite integer n and computing discrete logarithms in (cyclic 
subgroups of) the group 2* is investigated in §3.8. The tasks of finding partial solutions 
to the discrete logarithm problem, the RSA problem, and the problem of computing square 
roots modulo a composite integer n are the topics of §3.9. The L 3 -lattice basis reduction 
algorithm is presented in §3.10, along with algorithms for the subset sum problem and for 
simultaneous diophantine approximation. Berlekamp's Q-matrix algorithm for factoring 
polynomials is presented in §3.11. Finally, §3.12 provides references and further chapter 
notes. 



3.2 The integer factorization problem 

The security of many cryptographic techniques depends upon the intractability of the in- 
teger factorization problem. A partial list of such protocols includes the RSA public-key 
encryption scheme (§8.2), the RSA signature scheme (§11.3.1), and the Rabin public-key 
encryption scheme (§8.3). This section summarizes the current knowledge on algorithms 
for the integer factorization problem. 

3.3 Definition The integer factorization problem (FACTORING) is the following: given a 
positive integer n, find its prime factorization; that is, write n = p^p^ '"Pi* where the 
Pi are pairwise distinct primes and each e, > 1. 

3.4 Remark (primality testing vs. factoring) The problem of deciding whether an integer is 
composite or prime seems to be, in general, much easier than the factoring problem. Hence, 
before attempting to factor an integer, the integer should be tested to make sure that it is 
indeed composite. Primality tests are a main topic of Chapter 4. 

3.5 Remark (splitting vs. factoring) A non-trivial factorization of n is a factorization of the 
form n = ab where 1 < a < n and 1 < 6 < n; a and b are said to be non- trivial factors 
of n. Here a and b are not necessarily prime. To solve the integer factorization problem, it 
suffices to study algorithms that ipZ/rn, that is, find a non-trivial factorization n = ab. Once 
found, the factors a and 6 can be tested for primality. The algorithm for splitting integers can 
then be recursively applied to a and/or 6, if either is found to be composite. In this manner, 
the prime factorization of n can be obtained. 

3.6 Note (testing for perfect powers) Ifn > 2, it can be efficiently checked as follows whether 
or not n is a perfect power, i.e., n = x k for some integers x > 2, A: > 2. For each prime 
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Ch. 14 Efficient Implementation 
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11 
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23 
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Table 14.14: Modular representations (see Example 14.69). 



vf mod p and v$ mod q is faster than computing x d mod n. For RSA, if p and <? are pan 
of the private key, modular representation can be used to improve the performance of both 
decryption and signature generation (see Note 14.75). 

Converting an integer x from a base b representation to a modular representation is eas- 
ily done by applying a modular reduction algorithm to compute v t = x mod rn t , 1 < t < t. 
Modular representations of integers in 2^ rnay facilitate some computational efficiencies, 
provided conversion from a standard radix to modularrepresentation and back are relatively 
efficient operations. Algorithm 14.71 describes one way of converting from modular rep- 
resentation back to a standard radix representation. 



14.5.2 Garner's algorithm 

Garner's algorithm is an efficient method for determining x, 0 < x < Af , given v(x) = 
(fii t>2» • • • , v t ), the residues of x modulo the pairwise co-prime moduli m 1 ,m2, ... ,m f . 

14.71 Algorithm Gamer's algorithm for CRT 

INPUT: a positive integer M = [iLi m * > with g cd ( m »» m i) = 1 for al1 * ^ and a 
modularrepresentation v(x) - (vi,U2, . . • ,t> £ ) of x forthem*. 
OUTPUT: the integer x in radix b representation. 

1. For t from 2 to t do the following: 

1.1 C t <-1. 

1.2 For; from 1 to (i - 1) do the following: 

. u^mj 1 mod m x (use Algorithm 14.61). 
C t «-u * C t mod mi. 

2. U<-V\ y Xi~U. 

3. For t from 2 to t do the following: uf-(v t - x)Ci mod m it x<-x + u • f];=i m r 

4. Return(x). 



14.72 Fact x returned by Algorithm 14.7I satisfies 0 < x < M, x = v, (mod m,), 1 < t < *• 

14.73 Example (Garner's algorithm) Let m! = 5, m 2 = 7, 7713 = 11, m 4 = 13, M = 
11^=1 m i = 5005 » and ^(a:) = (2 t 1,3,8). The constants C» computed are C 2 = 3 > 
Cz = 6, and C 4 = 5. The values of (i, tz, x) computed in step 3 of Algorithm 14.71 are 
(1,2, 2), (2, 4, 22).'(3, 7, 267), and (4, 5, 2192). Hence, the modular representation v(x) = 
(2, 1,3,8) corresponds to the integer x = 2192. D 
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14.74 Note (computational efficiency of Algorithm 14.71) 

(i) If Garner's algorithm is used repeatedly with the same modulus M and the same fac- 
tors of Af , then step I can be considered as a precomputation, requiring the storage 
of t - 1 numbers. 

(ii) The classical algorithm for the CRT (Algorithm 2.121) typically requires a modular 
reduction with modulus M , whereas Algorithm 14.71 does not. Suppose Af is a kt- 
bit integer and each m x is a fc-bit integer. A modular reduction by M takes 0((kt) 2 ) 
bit operations, whereas a modular reduction by m t * takes 0(k 2 ) bit operations. Since 
Algorithm 14.71 only does modular reduction with m„ 2 < i < t f it takes 0(tk 2 ) 
bit operations in total for the reduction phase, and is thus more efficient. 

14.75 Note (RSA decryption and signature generation) 

(i) (special case of two moduli) Algorithm 14.71 is particularly efficient for RSA moduli 
n = pq, where m\ — p and m2 = q are distinct primes. Step 1 computes a single 
value C2 = p _1 mod q. Step 3 is executed once: u = (i>2 - v\)C2 mod q and 
x = v\ 4- up. 

(ii) (RSA exponentiation) Suppose p and q are £-bit primes, and let n = pg. Let d be a 2£- 
bit RSA private key. RSA decryption and signature generation compute x d mod n 
for some 1 G Z n . Suppose that modular multiplication and squaring require k 2 bit 
operations for it-bit inputs, and that exponentiation with a /c-bit exponent requires 
about \k multiplications and squarings (see Note 14.78). Then computing x d mod n 
requires about § (2£) 3 = 12£ 3 bit operations. A more efficient approach is to compute 
x dp mod p and x d * mod q (where dp — d mod (p - 1) and d q — d mod (7 - 1)), 
and then use Garner's algorithm to construct x d mod pq. Although this procedure 
takes two exponentiations, each is considerably more efficient because the moduli 
are smaller. Assuming that the cost of Algorithm 14,71 is negligible with respect to 
the exponentiations, computing x d mod n is about §(2£) 3 /2(§£ 3 ) = 4 times faster. 



14.6 Exponentiation 

One of the most important arithmetic operations for public-key cryptography is exponen- 
: tiation. The RSA scheme (§8.2) requires exponentiation in Z m for some positive integer 
m, whereas Diffie-Hellman key agreement (§12.6.1) and the ElGamal encryption scheme 
(§8.4) use exponentiation in Z p for some large prime p. As pointed out in §8.4.2, ElGamal 
encryption can be generalized to any finite cyclic group. This section discusses methods for 
computing the exponential g c , where the base g is an element of a finite group G (§2.5. 1 ) 
and the exponent e is a non-negative integer. A reader uncomfortable with the setting of a 
general group may consider G to be Z^; that is, read g e as g £ mod m. 

An efficient method for multiplying two elements in the group G is essential to per- 
forming efficient exponentiation. The most naive way to compute g< is to do e - 1 multi- 
plications in the group G. For cryptographic applications, the order of the group G typically 
exceeds 2 160 elements, and may exceed 2 1024 . Most choices of e are large enough that it 
would be infeasible to compute g e using e - 1 successive multiplications by g. 

There are two ways to reduce the time required to do exponentiation. One way is to 
decrease the time to multiply two elements in the group; the other is to reduce the number 
of multiplications used to compute g e . Ideally, one would do both. 

This section considers three types of exponentiation algorithms. 
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CERTIFICATE OF OWNERSHIP AND MERGER 

MERGING 
TANDEM COMPUTERS INCORPORATED 

INTO 

COMPAQ COMPUTER CORPORATION 



* * * # 



Compaq Computer Corporation, a corporation organized and easting under 
the laws of Delaware, 
DOES HEREBY CERTIFY: 

FIRST: That this corporation was incorporated on the 16* da> of February, 
1982, pursuant to the General Corporation Laws of the State of Delaware, 

SECOND: That this corporation owns all of the outstanding s lares of each 
class of the stock of Tandem Computers Incorporated, a corporation incorporated 
on the 7* day of January, 1980, pursuant to the General Corporation Laws of the 
State of Delaware. 

THIRD: That this corporation, by the following resolutions of its Board of 

Directors, duly adopted at a meeting held on the 10 th day of December, 1998, 

determined to and did merge into itself said Tandem Computers Incoiporated; 

RESOLVED, that the merger of Tandem Computes 
Incorporated into the Company be and it hereby is 
approved, and Compaq Computer Corporation does hereby 
assume all of the liabilities and obligations of and majge 
into itself Tandem Computers Incorporated; 

FURTHER RESOLVED, that the merger shall 
become effective on midnight December 31, 1998; and 
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FURTHER RESOLVED, that any Vice President of the 
Company be and hereby is authorized and directed to 
execute a Certificate of Ownership and Merger setting forth 
a copy of the foregoing resolutions and to cause same to be 
filed with the Secretary of State, and to take such further] 
actions and to execute such documents as may be necessary] 
to iropl eraent the merger. 

IN WITNESS WHEREOF, said Compaq Computer Corporation has caused 
this Certificate to be signed by Linda S. Auwers, its Vice President Associate 
General Counsel and Secretary, this 22 nd day of December, 1 998. 




Linda S. Auwers 

Vice President, Associate Oeaeral 
Counsel and Secretary 
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UNITED STATES PATENT AND TRADEMARK OFFICE 
NOTICE OF RECORDATION OF ASSIGNMENT DOCUMENT 
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THE ENCLOSED DOCUMENT HAS BEEN RECORDED BY THE ASSIGNMENT DIVISION OF THE 
U.S. PATENT AND TRADEMARK OFFICE. A COMPLETE MICROFILM COPY IS AVAILABLE 
AT THE ASSIGNMENT SEARCPI ROOM ON TH.3 REEL AND FRAME NUMBER REFERENCED 
BELOW . 

PLEASE REVIEW ALL INFORMATION CONTAINED ON THIS NOTICE. THE INFORMATION 
CONTAINED ON THIS RECORDATION NOTICE REFLECTS THE DATA PRESENT IN THE 
PATENT AND TRADEMARK ASSIGNMENT SYSTEM. IF YOU SHOULD FIND ANY ERRORS OR 
HAVE QUESTIONS CONCERNING THIS NOTICE, YOU MAY CONTACT THE EMPLOYEE WHOSE 
LilME APPEARS ON THIS NOTICE AT 703-308-9723. PLEASE SEND REQUEST FOR 
Q0RRECTION TO: U.S. PATENT AND TRADEMARK OFFICE, ASSIGNMENT DIVISION, 
3©X ASSIGNMENTS, NORTH TOWER BUILDING, SUITE -10C35, WASHINGTON, D.C. 20231 



Recordation date: 05/07/1997 reel/frame: 8542/0875 

i'" 8 number of pages: 4 

brief: assignment of assignor's interest (see document for details). 

DOC DATE: 04/29/1997 



ASSIGNOR: 

I?i COLLINS, THOMAS 



ASSIGNOR: 
% HOPKINS, DALE 

ASSIGNOR: 

LANG F OR b , SUSAN 

ASSIGNOR: 

SABIN, MICHAEL 

ASSIGNEE: 

TANDEM COMPUTERS INCORPORATED 
1043 5 NORTH TANTAU AVENUE 
CUPERTINO, CALIFORNIA 95014 



DOC DATE: 04/29/1997 
DOC DATE : 04 -'30/19*37 
DOC DATE: 04/30/1997 



SERIAL NUMBER: 08784453 
PATENT NUMBER: 



FILING DATE: 01/16/1997 
ISSUE DATE: 
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Attorney Docket No. 10577-404 



U.S. DEPARTMENT OF COMMERCE 
Patent and Trademark Office 



To^he Honorable Asst. Commissioner for 
1. Name of conveying party(ies): 



100436861 



al documents or coo 



Thomas Collins 
Dale Hopkins 
Susan Langford 
Michael Saoin 



s-n-9n 



Additional name(s) of conve ying oartvfies) at tach ed? 



Yes 



No 



3. Nature of conveyance: 
[ x | Assignment 
[ [ Security Agreement 
| | Other: 



| | Merger 

| | Change of Name 



Execution Date: 4/29/97 and 4/30/97 



2. Name and address of receiving party(r 
Name: Tandem Computers Inct 



thereoT: 



MAY 0 7 1997 

rBBBBBT ACCtf NG. oA 



Internal Address: 



Street Address: 10435 North Tantau Avenue 



City: Cupertino State: California ZIP: 95014 



Additional name(s) & address(es) attached? Yes | x | 



No 



4. Application number(s) or patent number(s). 
If this document is being filed together with a new applica 

v f \ 

£1 Patent Application No.(sH 08/784,453 J 
Jl! Additional numbers attached? [ | Yes [ x | No 



ion, the execution date of the application is: 
B, Patent No.{s) 



5. Nanfie and address of party to whom correspondence 
concerning document should be mailed: 

NameH^tobert J. Bennett 

HTOWNSEND and TOWNSEND and CREW LLP 
::*Two Embarcadero Center, 8th Floor 
I ,San Francisco, California 941 1 1-3834 
:^415) 576-0200 



6. Total number of applications and patents involved: 1 



7. Total fee (37 CFR 3.41): $40.00 

| | Enclosed | x | Charge Fees to Deposit Account 

I x I Charge any additional fees associated with this paper or 
1 — 1 during the pendency of this application, or credit any 



overpayment, to deposit account 



8. Deposit account number: 20-1430 
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9. Statement and signature. 

To the best of my know/edge arj) 
of the original document. 

Robert J. Bennett 

Name of Person Signing 

Atty. Reg. No. 27,533 
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Mail documents to be recorded with required cover sheet information to: 

Asst. Commissioner for Patents 
Box Assignments 

Washington, D.C. 20231 
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Attorney Docket No. 010577-0404 
ASSIGNMENT OF PATENT APPLICATION 

JOINT 

WHEREAS, Thomas Collins of 14890 Baranza Lane, Saratoga, California 95070, Dale 
Hopkins of 2425 Ric Drive, Gilroy, California 95020, Susan Langford of 1275 Poplar 
Avenue, #101, Sunnyvale, California 94086 and Michael Sabin of 883 Mango Avenue, 
Sunnyvale, California 94087, hereinafter referred to as "Assignors," are the inventors of the 
invention described and set forth in the below identified application for United States Letters 
Patent: 

Tide of the Invention: PUBLIC KEY CRYPTOGRAPHIC APPARATUS AND 

METHOD 

Date(s) of execution of Declaration: _. 

Filing date: January 16. 1997 Application No.: 08/784,453 ; and 

3 WHEREAS, TANDEM COMPUTERS INCORPORATED a Delaware Corporation, located 

ii at 10435 North Tantau Avenue, Loc. 200-16, Cupertino, California 95014, hereinafter 

3 referred to as "Assignee," is desirous of acquiring an interest in the invention and application 

;= and in any Letters Patent and Registrations which may be granted on the same; 

For good and valuable consideration, receipt of which is hereby acknowledged 
1 by Assignors, Assignors have assigned, and by these presents do assign to Assignee all right, 
title and interest in and to the invention and application and to all foreign counterparts 
I (including patent, utility model and industrial designs), and in and to any Letters Patent and 
Registrations which may hereafter be granted on the same in the United States and all countries 
;:* throughout the world, and to claim the priority from the application as provided by the Paris 
% Convention. The right, title and interest is to be held and enjoyed by Assignee and Assignee's 
'i successors and assigns as fully and exclusively as it would have been held and enjoyed by 
Assignors had this assignment not been made, for the full term of any Letters Patent and 
Registrations which may be granted thereon, or of any division, renewal, continuation in whole 
or in part, substitution, conversion, reissue, prolongation or extension thereof. 

Assignors further agree that they will, without charge to Assignee, but at 
Assignee's expense, (a) cooperate with Assignee in the prosecution of U.S. Patent applications 
and foreign counterparts on the invention and any improvements, (b) execute, verify, 
acknowledge and deliver all such further papers, including patent applications and instruments 
of transfer and (c) perform such other acts as Assignee lawfully may request to obtain or 
maintain Letters Patent and Registrations for the invention and improvements in any and all 
countries, and to vest tide thereto in Assignee, or Assignee's successors and assigns. 



! 



IN TESTIMONY WHEREOF, Assignors have signed their names on the dates 



indicated. 

Date: ^3<?-f7 



STATE OF 



THOMAS COLLINS 




COUNTY OF < 5c?^d^. QXQaj ^ 

, before me, ^UAwyV{ 




(here insert 



On 

name and title of the officer), personally appeared Thomas Collins, personally known to me 
(or proved to me on the basis of satisfactory evidence) to be the person whose name is 
subscribed to the within instrument and acknowledged to me that he executed the same in his 
authorized capacity, and that by his signature on the instrument the person, or the entity upon 
behalf of which the person acted, execute the instrument. 

1 /^^\ SUSAN EMUNSON f 

WITNESS my hand and official seal. J /x tJ ^ mmmi^^p^wo f 



Signature 



Date: 




i 



mi 



SUSAN 1 
i Commission #1082589 
1 Notary Public — California 
r Santa Clara County 
My Comm. Expires Jan 8,2000 



i" 



(Seal) 



daLe Hopkins 



STATE OF CoA i^bfoa^ 
COUNTY OF 



On (\ U\ , before me, *Qhere insert 

name and tide Of the Officer), pprgnnally apppar^H T^Ip HnplHnc pAccnnntly UnnTTm (nr 

proved to me on the basis of satisfactory evidence)* to be the person whose name is subscribed 
to the within instrument and acknowledged to me that he executed the same in his authorized 
capacity, and that by his signature on the instrument the person, or the entity upon behalf of 
which the person acted, execute the instrument. 



WITNESS my hand and official seal 



Signature (Seal) 





HMBESLYJ.KU- 

ConmWon*»78« 
Notary Pi^te-CoMomla 

uki Comm. Exp»e» "Zl^L— r» 



2 



Date: 



STATE OF C^^'^fv^ 



r / I SUSApLANGFORD 



COUNTY OF 



On Ap^^A°ft7 . before me, Y^\^A^^. ^W^ok h&e insert 
name and title of the officer), personally appeared Susan Langford, - personally known Lu m e- 
-^er proved to me on the basis of satisfactory evidence)- to be the person whose name is 
subscribed to the within instrument and acknowledged to me that she executed the same in her 
authorized capacity, and that by her signature on the instrument the person, or the entity upon 
behalf of which the person acted, execute the instrument. ^ A A A _ _ ^ 

1 MMBfflLYJLBBl \ 



WITNESS my hand and official seal. 
Signature \^Vvtt /^^(^UX (Seal) 




HMBERIYJ.BB1 
Commission #1067882 
Notary Public - CaEfornia 5 
San Mateo Courty 
My Comm. Expires Sep I 



«rty r 

top 8.1999 f 

m w m 4 



Date: ^ ftPg,37 



STATE OF C a [ i f d rn I 




MICHAEL SARIN 



COUNTY OF CUu 



On f^2&,?a before me, L ^gjfi&jfl. ¥fij®Jtfrt?v\ (here insert 

nam^and title^of the officer), personally appeared Michael Sabin, personally known to me (or 
proved to me on the basis of satisfactory evidence) to be the person whose name is subscribed 
to the within instrument and acknowledged to me that he executed the same in his authorized 
capacity, and that by his signature on the instrument the person, or the entity upon behalf of 
which the person acted, execute the instrument. 



WITNESS my hand and official seal. 



Signature 



t\404\assign 

ASSIGN. MRG 9/96 




yss/sssss/ssssssssssssss/ssss/ssss/sss/sss 

Ci x£>£$n DOUGLAS M. FARNHAM * 



(Seal) gj 




COMM. 1027805 m 

NOTARY PUBLIC - CALIFORNIA C« 

SANTA CLARA COUNTY n 
My Comm. Exptrw MAY 25, t 
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